Back to skill

Security audit

Instapaper

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only helper for using an Instapaper command-line tool, with account access and bookmark-changing commands disclosed and aligned with its purpose.

Install the `ip` CLI only from a source you trust, consider pinning or reviewing a specific release, avoid placing real passwords directly in shell commands or logs, and require explicit approval before running bulk import/export, folder, highlight, or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation includes an authentication example that places a literal password into a shell pipeline. While `--password-stdin` is better than passing a password directly as a command-line argument, the example still normalizes handling secrets in plaintext and may lead users to expose credentials through shell history, process inspection, pasted logs, or reused insecure scripting patterns. In a CLI skill focused on automation and authentication workflows, this is more dangerous because users are likely to copy-paste examples into real scripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.