ClawHub

Miniflux

Security checks across malware telemetry and agentic risk

Overview

This Miniflux skill fits its RSS-reader purpose, but users should know it can save an API key locally and change article read status.

Install only if you are comfortable giving the skill access to your Miniflux account. Prefer MINIFLUX_URL and MINIFLUX_API_KEY environment variables over CLI flags if you do not want the API key written to ~/.local/share/miniflux/config.json. Confirm before using mark-read, mark-unread, or refresh on many items, and consider pinning the Python dependency in higher-assurance environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation explicitly instructs the agent to read secrets from environment variables and to persist the Miniflux URL and API key into a local config file, yet no permissions are declared. That creates an undeclared capability gap: the skill can access credentials and write sensitive data to disk without transparent permission metadata, increasing the risk of credential exposure or unintended persistence.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description frames the skill mainly as browsing and managing feed articles, but the documented behavior also includes additional state-changing and persistence actions such as marking unread, refreshing feeds, collecting stats, dedicated search flows, and saving server URL/API key to a local config file. This mismatch weakens user and policy expectations, so an agent may invoke operations with broader side effects than the metadata suggests.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI silently persists the Miniflux base URL and API key to a local config file whenever --url or --api-key is supplied, but the skill description does not disclose this credential storage behavior. In an agent-skill setting, undisclosed secret persistence increases the risk of credential exposure through later file access, backups, shared home directories, or user surprise about where secrets are stored.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to pass an API key via CLI flags and states that this saves the credential to ~/.local/share/miniflux/config.json, but it provides no warning about sensitive credential persistence, file permissions, or safer alternatives. For a feed-management skill with write actions and account-wide API access, silently encouraging local storage increases the chance of credential exposure through weak filesystem permissions, backups, shared accounts, or accidental disclosure.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill documents commands that change article state (read/unread) but does not clearly warn that these commands modify remote Miniflux data. In an agent context, that omission matters because a model may treat them like ordinary retrieval commands and perform unintended state changes on a user's account.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The API key is written in plaintext to a local JSON config file without any user-facing warning or consent flow. In a local-agent environment, plaintext credential persistence can expose long-lived API access to other local processes, users, backups, or future tool invocations that were never intended to inherit the secret.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal