Security audit

Raindrop.io Bookmark Manager

Security checks across malware telemetry and agentic risk

Overview

This Raindrop.io skill is purpose-aligned, but it can save OAuth secrets in a local plaintext env file by default and can modify or delete live bookmark data.

Install only if you are comfortable giving a local CLI access to your Raindrop.io account. Prefer environment variables or a protected local env file, use --no-save when you do not want OAuth tokens written to disk, restrict permissions on any env file containing tokens, and verify collection or bookmark IDs before running delete or bulk import commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation describes capabilities to read environment variables, optionally load a local .env file, write tokens to local storage, and make network requests to the Raindrop.io API, but it does not declare corresponding permissions. That mismatch is a real security issue because users and policy enforcement cannot accurately understand or constrain what the skill can access, especially given it handles OAuth credentials and local files.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: OAuth access tokens, refresh tokens, and the client secret are persisted to a local env file automatically after auth completion, with no permission hardening or prominent warning at the save point. On multi-user systems or misconfigured environments, this can expose reusable credentials to other local processes or users and increase the blast radius of filesystem compromise.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The refresh flow silently writes refreshed access and refresh tokens back to disk, again in plaintext and without visible disclosure at the write site. This creates a persistent local secret store that may be harvested later if the file is readable by unintended parties or included in backups, sync tools, or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical

Code: suspicious.exposed_secret_literal
Location: scripts/raindrop_manager.py:331