ClawHub

ZLibrary2Kindle

Security checks across malware telemetry and agentic risk

Overview

This skill has a clear purpose, but it asks an agent to run an unpinned external package that handles account passwords, cached sessions, email sending, and file deletion.

Install only if you trust the external zlibrary2kindle package and are comfortable giving it Z-Library and SMTP/Gmail app-password access. Use a dedicated or revocable app password, verify the recipient Kindle email before sending, consider pinning or inspecting the package first, and delete cached sessions when finished on shared or untrusted machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly instructs users to export multiple high-value credentials, including account passwords and an SMTP app password, and then uses those credentials to authenticate and transmit files over email without any safety guidance on secret handling, storage, or recipient verification. In this context, the combination of credential collection, cached session material, and outbound file transfer increases the chance of credential exposure, accidental disclosure, or sending content to the wrong destination.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill documents that downloaded files are deleted after sending, but it does not clearly warn users before this destructive action or indicate whether deletion occurs automatically, conditionally, or can be disabled. That can cause unintended data loss, especially if users expect the downloaded file to remain available for verification, backup, or reuse.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal