karakeep-sh

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Karakeep API helper, but it can read and change bookmark data when given a Karakeep API key.

Install only if you want an agent to manage your Karakeep account. Use a limited or revocable API key if available, verify KARAKEEP_SERVER_URL, and require explicit user approval before destructive or account-changing actions, not only deletions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly instructs use of a shell script and shell-based functions, yet no declared permissions are documented. That creates a capability transparency problem: an agent or reviewer may underestimate that the skill can execute local commands and make outbound API calls using environment-provided credentials. In a security-sensitive environment, undeclared shell access increases the chance of unintended execution and misuse.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The public description says the skill supports notes, updates, and deletion, but the body exposes substantially broader behavior: listing, searching, content retrieval, and list/tag manipulation. This mismatch can cause users or orchestrators to invoke the skill without understanding its full read/write scope, enabling unintended data access or modification. Hidden breadth is especially risky because the skill uses a full REST API and can affect more objects than the description implies.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill is described in broad, generic terms without clear activation boundaries such as when it should be used, what user intent is required, or which operations need confirmation. Broad activation language raises the likelihood of accidental invocation in contexts where a user merely mentions bookmarks or Karakeep, leading to unexpected API calls or data exposure. Because the skill includes both read and write actions, unintended invocation has practical security consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill warns only about confirming deletion, but many other operations also change state or transmit potentially sensitive bookmark data, including create, note updates, list creation, list membership changes, and tag changes. It also supports search and content retrieval, which can expose stored information from the bookmark system. Selectively highlighting deletion understates the risk of the rest of the API surface and may mislead users into assuming other actions are harmless.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal