Back to skill

Security audit

Pocket AI Transcripts

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible Pocket transcript reader, but it asks for sensitive browser session tokens and stores them locally in a way users should review carefully.

Install only if you are comfortable granting the skill access to your logged-in Pocket browser session and private recording data. Treat ~/.pocket_token.json like a password, delete it when not needed, avoid shared machines, and do not allow this file or transcript outputs to be copied into backups, repositories, logs, or public channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return None
    
    try:
        result = subprocess.run(
            [str(browser_eval), js_code],
            capture_output=True, text=True, timeout=30
        )
Confidence
87% confidence
Finding
result = subprocess.run( [str(browser_eval), js_code], capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill invokes shell commands, performs network access to a reverse-engineered API, reads browser-derived authentication state, and writes a token file, yet declares no permissions or trust boundaries. That mismatch is dangerous because users and hosting systems are not clearly informed that the skill can access local files, extract auth tokens, and contact external services handling sensitive transcript data.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill description suggests transcript retrieval, but the code also accesses Firebase tokens directly from the user's browser IndexedDB and stores them locally in a cache file. This is a credential-harvesting behavior that expands the skill from data access to session-token extraction, creating a risk of account compromise and unauthorized reuse of bearer tokens.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code invokes an external browser helper to execute JavaScript that reads the Firebase local storage database of a logged-in browser session. That gives the skill an unjustified ability to reach into another trusted application context and extract secrets, which is especially risky because the helper path is discovered from user-writable home directories and its output is trusted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to extract a Firebase bearer token from a browser session and store it locally in `~/.pocket_token.json`, but it does not clearly warn that this token is a sensitive credential that can grant access to private recordings and transcripts until expiration. In the context of a skill that handles personal conversation data, normalizing token extraction and storage without handling precautions increases the chance of credential leakage through weak file permissions, accidental sharing, backups, or logs.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes listing recordings, retrieving full transcripts, summaries, and searching conversation content, but it does not warn that these materials may contain highly sensitive personal, business, legal, or health information. Because this skill is specifically designed to access recorded conversations, the absence of privacy guidance makes unsafe downstream handling more likely, such as over-sharing transcript contents, storing them insecurely, or processing third-party conversations without adequate consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs extraction of a Firebase bearer token from the browser and stores it in ~/.pocket_token.json without a clear warning about credential sensitivity, reuse risk, or local compromise impact. A stolen token could allow unauthorized access to recordings, transcripts, summaries, and possibly metadata until expiry, and normalizing browser-token extraction increases the chance of mishandling credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill processes highly sensitive user content, including meeting transcripts, summaries, action items, and potentially latitude/longitude metadata, but provides no explicit privacy or data-handling warning. In this context, omission is risky because transcripts often contain confidential business, personal, or regulated information, and users may not realize the skill retrieves, stores, searches, and prints such data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles highly sensitive credentials by extracting auth tokens from the browser and writing them to a local JSON file without meaningful safeguards or strong user disclosure. Even if intended for convenience, silent credential collection and plaintext local caching increase the chance of inadvertent exposure to other local processes, backups, or users.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.