ClawHub

Reader Deep Dive

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims: read Readwise data, generate a briefing with an LLM, and send it by WhatsApp, but users should treat the reading-history data flow as privacy-sensitive.

Install only if you are comfortable with your Readwise reading data and generated summaries being processed by the configured LLM and sent through WhatsApp. Before enabling cron or automation, verify the WhatsApp recipient, token storage, and whether URLs, titles, summaries, or archive-derived interests are included.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises executable shell usage (`bash scripts/brief.sh`, cron command) and requires a sensitive API token, but it declares no permissions. That creates a transparency and governance gap: users and platforms cannot accurately assess that the skill executes local commands and accesses external services, increasing the risk of over-privileged or unexpected behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose is a reading briefing, but the described behavior also includes outbound WhatsApp messaging, external AI processing of reading-derived content, and Readwise token usage without corresponding permission disclosure. This mismatch is dangerous because users may unknowingly allow exfiltration of private reading history and summaries to third-party services beyond what the description suggests.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script transmits the generated briefing to an arbitrary WhatsApp target via `clawdbot message send`, which is an external delivery channel not clearly disclosed by the skill description. Because the briefing is built from Readwise recent saves and archive data, this can exfiltrate personal reading history and summaries to a phone number with little user visibility or validation.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script sends reading-derived content to an external LLM CLI (`gemini`) for topic analysis and briefing generation. This is a real data-flow risk because article titles, summaries, and archive content may contain sensitive personal interests or proprietary material, and the manifest does not make that third-party processing obvious.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README describes analyzing a user's recent saves, mining their full reading archive, and sending synthesized results via WhatsApp, but it does not clearly warn users about the privacy implications of transmitting potentially sensitive reading-history data to external services or messaging channels. Because reading history can reveal health, political, professional, or personal interests, omission of an explicit disclosure and consent guidance creates a real privacy risk, especially when combined with third-party LLM inference and message delivery tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill description and setup do not prominently warn that reading-derived content will be sent over WhatsApp. Because reading history can reveal sensitive interests, projects, health concerns, or political views, omission of this warning can lead to unintended disclosure to a messaging platform and any linked recipients/devices.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script fetches Readwise account data and forwards portions of it to both `gemini` and WhatsApp, creating multiple external disclosure paths for personal reading history, summaries, URLs, and inferred interests. In the context of a reading-analysis skill, this is more dangerous because the collected content is highly personal and the transfers are not accompanied by clear user-facing notice or approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal