Pocket AI Transcripts

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it handles browser session tokens and private transcripts in a way users should review carefully before installing.

Install only if you are comfortable granting this skill access to your logged-in Pocket browser session and private recording data. Treat ~/.pocket_token.json like a password, remove it when not needed, and avoid using this on shared machines or in repos/backups that might copy home-directory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes shell commands, browser automation, network access, and writes a token file, but does not declare permissions or clearly scope those capabilities. Hidden capability expansion is dangerous because users and policy enforcement layers cannot accurately assess that the skill will access browser session data and persist credentials locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill is presented as a transcript retrieval tool, but it also reverse-engineers an API, extracts authentication tokens from the user's browser storage, and caches them in a local file. That mismatch prevents informed consent and creates a credential-handling pathway that could expose account access well beyond simple transcript reading.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill includes an additional capability to extract Firebase access and refresh tokens from a logged-in Chrome profile via IndexedDB, which is far broader than simply reading transcripts. This bypasses normal authentication flows and accesses browser-stored credentials from another application context, materially increasing the risk of credential theft and unauthorized account access.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The code writes access and refresh tokens to a persistent file in the user's home directory, creating a local credential store that can be reused by other local processes or attackers with filesystem access. Because these are bearer credentials, theft of the file may allow continued access to Pocket data without re-authentication.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to extract a Firebase bearer token from their browser session and save it locally to ~/.pocket_token.json, but it does not clearly warn that this token is a sensitive credential that grants access to private recordings, transcripts, and summaries. Because the skill handles highly sensitive conversation data, insecure storage, accidental disclosure, or reuse of the token by other local processes could expose confidential personal or business information.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill handles highly sensitive meeting transcripts, summaries, action items, and possibly location metadata, but provides no privacy warning or guidance on safe handling. Users may unknowingly expose confidential business, personal, or regulated information when invoking the skill or sharing outputs.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The instructions direct extraction of a Firebase bearer token from browser data and storage in ~/.pocket_token.json without clearly warning that the token is a sensitive credential. If another process or user reads that file, or if the token is mishandled in logs or outputs, it could enable unauthorized access to Pocket account data until expiry or refresh.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill silently stores authentication material on disk without any user-facing disclosure or consent. Even if intended for convenience, undisclosed credential caching weakens user privacy expectations and can expose sensitive account access if the file is copied or read by other software.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The browser token extraction routine reads authenticated Firebase tokens directly from Chrome's IndexedDB for a logged-in session, but does not provide a strong privacy warning or explicit consent flow. This is dangerous because it accesses browser-held credentials that users may not expect a transcript skill to inspect, enabling unauthorized reuse of their authenticated session.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal