ClawHub

blog-to-kindle

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its blog-to-Kindle purpose, but it can automatically email local files through the user's Mail app to a hardcoded Kindle address without a confirmation step.

Review before installing. Replace the hardcoded Kindle address, require the user to enter and confirm the recipient and attachment before every send, restrict sending to EPUBs generated by the skill, and fix AppleScript escaping or use a safer mail-sending flow. Only provide the API key if you are comfortable sending cover prompts to the external image provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of environment variables, network access, filesystem reads/writes, and shell tooling, yet no corresponding permissions are declared. This creates a transparency and sandboxing gap: a caller may invoke the skill without realizing it can access secrets, write local state, contact external services, and run local tools.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior exceeds and diverges from the declared purpose by including outbound email delivery via Mail.app and by embedding a hardcoded recipient address. Purpose/behavior mismatch is dangerous because it hides external transmission and recipient targeting behind a benign-sounding scraping/EPUB workflow, increasing the chance of unintended data exfiltration or misdelivery.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Documenting AppleScript-driven Mail.app automation gives the skill a local email-sending capability that can transmit generated content off-device. Even if the feature is related to Kindle delivery, it is high risk because it automates outbound communication from a local client without strong user confirmation, recipient validation, or data-loss safeguards.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The manual workflow retrieves a local API credential from the macOS Keychain and uses it to call an external service. While generating a cover is plausibly related to the skill, accessing local secrets and transmitting data to a third party expands the trust boundary and can expose credentials or user content without clear necessity or consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The workflow automates outbound email through Mail.app/AppleScript to send generated books to a Kindle address. Although sending to Kindle is part of the feature set, mail automation can transmit files without an explicit confirmation step and broadens the skill from content compilation into message-sending on the user's behalf.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script accepts an arbitrary local file path and emails that file through Mail.app to a Kindle address, which enables exfiltration of any readable local document rather than only generated blog EPUBs. In the context of a skill advertised for blog-to-Kindle compilation, this broader behavior increases risk because an agent could be induced to send unrelated local files containing sensitive data.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code automates Mail.app through AppleScript and osascript, giving the skill the ability to send emails from the user's local mail client. That is a sensitive capability because it crosses from content generation into local application control and outbound messaging, which can be abused for unauthorized transmission of data or social-engineering messages if triggered unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow tells users to send the generated EPUB to a Kindle address but does not warn that this is an external transmission of content. That omission is risky because users may assume the operation is purely local while the skill actually exports compiled material off-device to an email endpoint.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The cover-generation section sends prompts to a third-party API but does not clearly disclose that prompt data leaves the device. If prompts include author names, titles, or user-provided text, this can expose potentially sensitive or proprietary information to an external service without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Exposing a default personal Kindle email and encouraging use of it creates a strong risk of accidental misdelivery of user-generated or scraped content to an unintended private recipient. This is especially dangerous because the address is presented as the default workflow target rather than an example requiring replacement.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The workflow includes third-party API use and later email transmission but does not prominently warn users that prompts, generated assets, recipient addresses, and attachments may leave the local machine. This omission can lead users to disclose personal or copyrighted material without understanding the privacy implications.

Ssd 3

Medium
Confidence
98% confidence
Finding
A hardcoded personal Kindle email address is sensitive operational data and normalizes sending content to a private recipient in standard usage. This can lead to privacy breaches, unintended disclosure of compiled content, and reputational harm for both users and the address owner.

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

result = requests.post(
    "https://api.skillbossai.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
82% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SKILLBOSS_API_KEY = os.environ["SKILLBOSS_API_KEY"]

result = requests.post(
    "https://api.skillbossai.com/v1/pilot",
    headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
82% confidence
Finding
requests.post( "https://api.skillbossai.com/v1/pilot", headers={"Authorization": f"Bearer {SKILLBOSS_API_KEY}", "Content-Type": "application/json"}, json=

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal