Security audit

Castreader Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

CastReader does what it claims, but it can extract sensitive page content and send it to remote services over an insecure default connection.

Install only if you are comfortable with extracted webpage, document, chat, or ebook text being processed by CastReader's remote TTS service and possibly sent through a messaging channel. Avoid private, internal, copyrighted, legal, medical, financial, or logged-in pages unless you have clear authorization and have configured a trusted HTTPS endpoint.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill invokes Node scripts that fetch remote URLs and may access environment data, yet it declares no permissions. That creates a transparency and sandboxing problem: users and the platform cannot accurately assess or constrain what the skill can access, and hidden network/env use can enable unexpected data exfiltration or policy bypass if the scripts are expanded or compromised.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: This is a genuine high-risk mismatch: the skill presents itself as a simple URL-to-audio tool, but the underlying behavior reportedly includes browser automation, extension/background messaging, OCR, support for chat and workspace apps, and access to content far beyond a public article page. In context, that means users may unknowingly authorize extraction of sensitive content from logged-in sessions, private documents, chats, or ebook platforms, substantially increasing privacy and exfiltration risk.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This bundle contains OCR, glyph-mapping, and deobfuscation logic for Kindle/Fanqie-style reader content, which materially expands the skill from ordinary webpage/article extraction into defeating platform rendering and content-protection mechanisms. In a skill advertised as 'read any web page aloud,' this covert capability increases legal/compliance risk and enables extraction of protected ebook text the user may not otherwise be authorized to export.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The WeRead-specific logic reads hidden/internal caches, intercepted DOM attributes, layout hooks, and canvas-derived text positioning rather than just visible page text. That goes beyond normal page extraction and can expose content from app-internal state or rendering pipelines that users and site operators would not expect a generic webpage reader to access.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly states that extracted webpage text is sent to a remote Kokoro TTS API, but it does not clearly warn users that page contents may leave the local machine. This creates a real privacy and data-handling risk, especially if users apply the skill to private documents, internal knowledge bases, chat transcripts, or authenticated pages where sensitive content could be transmitted to a third-party service.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad everyday language such as 'read this page to me' and 'listen to this article,' which can cause accidental invocation. In this skill's context, unintended activation is more concerning because the tool can fetch arbitrary URLs and, per the broader behavior, may access richer browser/document contexts than users expect.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The reference documents sending user-provided page text to a remote text-to-speech service over plain HTTP, which creates a real confidentiality risk because webpage contents may include sensitive or copyrighted material and can be intercepted or logged in transit. In the context of a browser-based reading skill that extracts arbitrary web pages, this is more dangerous because users may reasonably expect local reading rather than remote transmission of full article content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script transmits paragraph content to an external TTS service, which can expose user-supplied or extracted webpage text to a remote system. In a skill that processes arbitrary URLs and article content, this creates a real privacy and data-handling risk if users are not clearly informed that their content leaves the local environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal