Security audit

Readwise Reader

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Readwise Reader integration that uses a user-provided token to list, create, update, and delete Reader documents as advertised.

Install only if you want an agent to manage your Readwise Reader library. Keep READWISE_ACCESS_TOKEN private, do not commit or share .env files, prefer shell/session secrets or a secret manager, review document IDs before update/delete actions, and avoid --confirm unless you intentionally want deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill supports update, bulk update, and delete operations against a user's Readwise library but does not prominently warn that these actions are destructive or potentially irreversible. In an agent setting, this raises the risk of unintended data loss or mass modification if a user request is ambiguous or the agent acts without explicit confirmation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The authentication section instructs users to place a long-lived access token in a `.env` file or directly on the command line without any guidance on secret handling. This increases the risk of credential exposure through shell history, logs, screenshots, committed files, or overly broad file access by other tools.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The guide tells users to place a long-lived API access token in a local `.env` file but does not warn them to keep that file out of version control, restrict file permissions, or avoid sharing it. This can lead to accidental credential disclosure through commits, backups, screenshots, or copied project folders, enabling unauthorized access to the user's Readwise Reader account.

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 66% confidence
Finding: python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.