ClawHub
Back to skill

Security audit

Readwise Article Saver

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Readwise saver, but it can automatically fetch and send links or article content to external services with broad triggers and little user control.

Review before installing. Use it only if you are comfortable giving it a Readwise token and having pasted article URLs, fetched content or HTML, metadata, and generated tags sent to Readwise and possibly an LLM provider. Prefer a version that requires explicit Readwise save intent, confirms ambiguous or batch saves, strips sensitive URL parameters, supports URL-only mode, and avoids broad exec access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill requires network access and sensitive environment variables (`READWISE_TOKEN`, `OPENROUTER_API_KEY`) but does not declare explicit permissions. That creates a transparency and governance gap: reviewers and users may not realize the skill can exfiltrate user-provided URLs/content to third-party services and use stored secrets for outbound actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README describes very broad activation conditions such as using the skill whenever the user sends any URL or says generic phrases like 'save this', which can cause unintended invocation on links that are not articles or were not meant for Readwise. In a skill that performs network fetches and sends content to external services, overbroad triggering increases the chance of accidental data processing, privacy leakage, and user-surprising actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explains that the skill fetches article HTML, saves it to Readwise, and uses an external LLM service for content-based tagging, but it does not prominently warn users that article content and metadata may be transmitted to third-party services. This omission is risky because users may paste sensitive, private, or access-controlled links without realizing their contents could be processed off-platform.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger scope is extremely broad, activating on nearly any pasted `http/https` link or phrases like 'save this'. This increases the chance of unintended execution, causing private or irrelevant URLs to be transmitted to Readwise and other services without the user clearly intending that specific action.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly instructs immediate external saving and content fetching without confirmation or warning. This can send user-supplied URLs and fetched article content to Readwise, OpenRouter/LLM tooling, and target sites, creating privacy leakage and unintended third-party disclosure, especially for private, signed, or confidential links.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest allows the main agent to use the `exec` tool without any visible scoping, approval gate, or context restriction. Because this skill is triggered by user-supplied URLs and article content, broad command-execution capability creates a dangerous path from untrusted input to local/system actions, increasing the chance of command execution, data access, or unintended side effects if downstream logic is ever prompt-influenced or mishandles inputs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script fetches article content and, in some paths, forwards full HTML to Readwise without any explicit user disclosure at execution time. In a link-saving skill, users may expect only the URL to be stored; silently transmitting full fetched content can expose private, tokenized, or sensitive page contents to a third party.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Workflow

When the user sends a message containing one or more URLs, execute these steps
**immediately without asking for confirmation**.

### Step 1 — Fetch and save the article
Confidence
91% confidence
Finding
without asking

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.