Deeptutor

Security checks across malware telemetry and agentic risk

Overview

DeepTutor is a disclosed EPUB reading assistant that saves generated notes to an Obsidian vault, with no evidence of hidden network, credential, destructive, or unrelated behavior.

Install this only if you want an agent to read local EPUB files and write generated reading notes into your Obsidian vault. Review the hard-coded vault path first, keep backups for important notes, and be aware that rerunning a chapter can overwrite that chapter note and refresh index/navigation files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to read local EPUB files and write notes into an Obsidian vault, but it does not declare those file read/write capabilities up front. That creates a permission-transparency problem: users and hosting systems may not realize the skill can access local files and modify persistent content. In an agent ecosystem, undeclared filesystem access increases the chance of unexpected data exposure or unwanted file modification.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill is presented as a tutoring/reading assistant, but the described implementation also performs concrete local file operations: EPUB parsing, content extraction, JSON/plaintext output, markdown writing, and vault rewrites. This mismatch can mislead users about the operational risk of invoking the skill, especially because 'tutor' framing downplays the fact that it reads arbitrary local files and persists output. The danger is not that tutoring is absent, but that the real attack surface is broader than the declared purpose suggests.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README repeatedly advertises that the skill will 'auto-save to Obsidian' and even points users to edit the save script path, but it does not clearly warn that invoking the skill causes writes into a local vault. In an agent/subagent context, implicit file modification increases the risk of unintended overwrites, vault pollution, or writing sensitive extracted book content into persistent notes without explicit user consent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill advertises that it 'auto-saves to Obsidian' and later instructs automatic saving, but it does not present this as a potentially state-changing action requiring explicit consent. Automatic writes to a knowledge vault can overwrite, clutter, or restructure user notes and may persist sensitive book-derived content without the user realizing the side effect. In a tool-enabled agent, silent persistence is a meaningful safety issue.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The invocation guidance says to use the skill whenever the user wants a broad class of outcomes ('content-driven... deepdive') without defining concrete trigger boundaries or limitations. This can cause over-activation or inappropriate routing, especially because the skill also appears to perform side effects like saving to Obsidian, increasing the chance of unintended tool use.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This example explicitly instructs automatic saving to Obsidian but provides no warning that invoking the skill may create or modify user notes. A user or orchestrator following this prompt may trigger persistent data changes without clear informed consent, which is risky because note contents, naming, location, or overwrites may not match user expectations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This invocation example again includes save behavior without any user-facing notice about persistent modification of Obsidian data. Repeating the pattern in guidance makes unintended writes more likely and normalizes side effects as part of ordinary reading assistance, which is especially dangerous in a tutoring skill where users may expect analysis, not file operations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quiz-mode example bundles educational analysis, quiz generation, and automatic saving into one prompt without warning about note creation or modification. Combining multiple actions with silent persistence increases the risk of accidental data writes and can lead to cluttered, misplaced, or overwritten notes if the user intended only an ephemeral response.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal