Back to skill

Security audit

Raindrop.io Bookmarks

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent Raindrop.io bookmark manager, but it can change or delete bookmarks and uses a local token file if configured.

Install only if you want the agent to access and manage your Raindrop.io account. Prefer setting RAINDROP_TOKEN through a trusted environment, or keep ~/.config/raindrop.env private with restrictive permissions and only a simple token assignment. Confirm bookmark IDs and collection targets before delete, update, move, or bulk-move commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents destructive actions such as delete, move, update, and bulk operations without any warning about irreversible changes or the risk of affecting many bookmarks at once. In an agent setting, this increases the chance of accidental data loss or unauthorized modification if a user request is ambiguous or the agent acts too broadly.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The setup instructions encourage storing an API token in a local env file and passing it on the command line, but do not warn that tokens are sensitive secrets. Command-line arguments can be exposed via shell history or process listings, and plaintext env files can be read by other local processes or users if permissions are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete command performs an irreversible remote deletion immediately with no confirmation, dry-run, or safeguard. In an agent/tooling context, a mistaken parameter, prompt injection, or operator error could silently destroy bookmark data with a single call.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script silently sources a sensitive local credential file without informing the user, which expands the tool's trust boundary beyond the declared CLI arguments and environment variable. In an agent setting, undisclosed credential pickup can cause the tool to act under a real account unexpectedly, increasing the chance of unauthorized remote reads or writes.

Credential Access

High
Category
Privilege Escalation
Content
DELAY=0  # ms delay between requests for rate limiting

# Auto-source token from config if not set
if [[ -z "$TOKEN" && -f ~/.config/raindrop.env ]]; then
  source ~/.config/raindrop.env
fi
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
# Auto-source token from config if not set
if [[ -z "$TOKEN" && -f ~/.config/raindrop.env ]]; then
  source ~/.config/raindrop.env
fi

usage() {
Confidence
97% confidence
Finding
.env

Tool Parameter Abuse

High
Category
Tool Misuse
Content
[[ -z "${1:-}" ]] && die "Bookmark ID required"
    id="$1"
    is_uint "$id" || die "Bookmark ID must be an unsigned integer"
    api DELETE "/raindrop/$id" | if [[ "$FORMAT" == "json" ]]; then cat; else jq -r 'if .result then "Deleted" else "Failed" end'; fi
    ;;
  
  move)
Confidence
93% confidence
Finding
DELETE "/raindrop/$id

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.