Back to skill

Security audit

Podwise

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Podwise podcast assistant, but it includes under-disclosed local profile reads and a risky remote install option that users should review before installing.

Install only if you trust the Podwise CLI and are comfortable giving it access to your Podwise account data, listening/read history, selected transcripts, and any local media you ask it to process. Prefer Homebrew or a reviewed release binary over the curl | sh installer, keep API keys out of shared terminals, avoid putting unrelated sensitive notes in taste.md, and review export destinations and generated file paths before approving them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description is written so broadly that it can activate for generic requests about audio, summaries, transcription, or extracting insights, even when a more appropriate or safer skill should handle the task. Over-broad routing increases the chance of mis-invocation, unnecessary access to local files or external URLs, and execution of Podwise-specific workflows on requests that were not clearly intended for this skill.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The export commands send podcast-derived content to third-party services such as Notion and Readwise or write it to local files, but the reference does not instruct the agent to warn the user about disclosure, persistence, or destination-specific side effects before doing so. In a skill that handles transcripts, summaries, and potentially sensitive local media, silent export can leak private or copyrighted content outside the original system boundary.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation guide instructs users to execute a remotely fetched shell script directly with `curl ... | sh` and provides no integrity verification, pinning, or review step. This creates a supply-chain risk: if the source, transport, repository, or referenced branch is compromised, users may immediately execute attacker-controlled code on their systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation tells users to paste an API key directly into a shell command without warning that the key is a sensitive secret. This increases the chance of credential exposure through shell history, screen sharing, terminal logging, process auditing, or copying the key into insecure environments.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The workflow explicitly instructs the agent to read a local file (`taste.md`) "silently," meaning it accesses workspace personalization data without clearly disclosing that action to the user at runtime. Even though the file is used for legitimate personalization, undisclosed local file access can violate user expectations, expose sensitive preference data, and normalize hidden data collection behavior in agent skills.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly instructs the agent to read a local `taste.md` file 'silently' and use its contents to personalize recommendations without first informing the user or obtaining fresh consent for accessing that local profile. Even though the data is relevant to the skill’s function, silent access to local preference data creates a privacy and transparency issue and could normalize undisclosed collection or use of personal information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow explicitly tells the agent to read `taste.md` from the current working directory "silently," meaning without user-facing disclosure or consent. That creates an unnecessary privacy risk because the file may contain sensitive preference or profile information unrelated to the immediate request, and the hidden access could surprise users or violate least-privilege expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to read `taste.md` silently and use its contents to influence behavior without notifying the user at the time of access. Even though the data is used for convenience, `taste.md` may contain sensitive preference or profile information, and silent access violates transparency and can expose or over-collect personal data beyond the user’s immediate request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to silently look for and read a local `taste.md` file in the current working directory without notifying the user or obtaining consent. This creates an unauthorized local data access path: even if the file is expected to contain preferences, it is still user-local content, and silently ingesting it can expose private notes, metadata, or unexpected sensitive content embedded in that file.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.