Instapaper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Instapaper CLI helper whose credential use and bookmark-changing commands are disclosed and fit its purpose.

Install the external `ip` CLI only from a source you trust, consider pinning or reviewing a specific release, protect Instapaper credentials, and require explicit approval before running bulk import/export, folder, highlight, or delete commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This markdown file includes an authentication example that handles a user password directly, but the surrounding documentation does not warn about the sensitivity of credentials or recommend safer handling practices. Because SQP-2 applies to markdown files when user data or privacy-affecting behavior is described without warnings, this omission is a valid safety finding.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Login (stdin password): - `printf '%s' "pass" | ip auth login --username "you@example.com" --password-stdin` - Add `--no-input` to disable prompts. - Check auth: - `ip auth status` or `ip --json auth status` - Config:
Confidence: 85% confidence
Finding: disable prompt

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal