ClawHub

Castreader Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

CastReader does what it advertises, but users should review it because it can upload article and local book text to a remote TTS service and has weak scoping around URLs, local library access, and command templates.

Review before installing. Use it only with URLs and book/text content you are comfortable sending to CastReader or a configured TTS endpoint and then delivering through Telegram as an MP3. Avoid private, proprietary, confidential, or copyrighted material unless you have permission, and clear /tmp/castreader-* files after sensitive use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill executes Node.js scripts that fetch remote URLs, access a local synced book library, and send files through a messaging channel, but it does not declare corresponding permissions or clearly bound those capabilities. This creates a transparency and policy-enforcement gap: users and hosting platforms may not realize the skill can access network resources and local data, increasing the risk of unintended data access or exfiltration.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads a local book's full text and sends it to an environment-configured remote API endpoint for TTS generation, optionally with an Authorization bearer token. Because both the endpoint and credentials are externally configurable, sensitive book content can be exfiltrated to an unexpected service, and users may not realize that local library content is leaving the machine.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrases include broad everyday language such as 'read this article', 'read aloud', and 'text-to-speech', which can cause the skill to activate in contexts the user did not specifically intend for this tool. Because the skill can fetch URLs, enumerate synced books, and send audio files, accidental invocation could expose private content or trigger unwanted processing and outbound delivery.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The description markets the feature set but does not warn users that provided URLs will be fetched and processed, that local synced book libraries may be accessed, or that generated audio will be delivered through Telegram messaging. In this context, missing disclosure is significant because the skill handles potentially sensitive reading material and transmits derived content externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API reference shows arbitrary input text being sent to `https://api.castreader.ai` for speech generation but does not warn that page/book/article content is transmitted to a remote service. In this skill's context, users may expect local read-aloud behavior while actually sending potentially sensitive webpage, document, Kindle, or WeChat Reading text off-device, creating a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the full contents of a local text file to a remote TTS service at `${API_URL}/api/captioned_speech_partly` without any explicit user warning, consent step, or data-sensitivity check. Because this skill is specifically designed to read arbitrary web pages and synced book/library content aloud, it may process copyrighted, private, or otherwise sensitive text, making silent exfiltration to a third-party service a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends extracted article text to a remote service at `${API_URL}/api/captioned_speech_partly` for TTS generation, which is a real privacy and data-handling concern because page contents may include sensitive, copyrighted, or user-private material. In this skill's context, the behavior is functionally necessary for cloud TTS, but the lack of explicit disclosure/consent in the code path means users may not realize their content is transmitted off-device to a third party.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When --audio is used, the script posts the entire remaining book or chapter text to a remote TTS API without an in-band warning or consent step at execution time. In the context of a book-reading skill handling synced Kindle/WeChat Reading content, this creates a meaningful privacy and data-sharing risk, especially for copyrighted, personal, or confidential material.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal