read-it-later
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (MEDIUM): The skill is designed to ingest and process content from external URLs and raw HTML. Ingestion Point: command arguments in readwise.ts. Boundary Markers: Absent. Capability: Network write to Readwise API. Sanitization: Absent. This creates a surface where malicious instructions embedded in the processed articles could influence the agent's logic.
- Unverifiable Logic (MEDIUM): The core functionality is implemented in external files (send-markdown.ts and readwise.ts) that are not included in the provided skill content. This prevents a full security audit and makes it impossible to verify if the scripts perform unauthorized actions.
- Data Exfiltration (LOW): The skill is intended to send data to an external service (Readwise). While this is the stated purpose, the use of an API token (READWISE_ACCESS_TOKEN) and the transmission of potentially sensitive summaries constitutes a controlled exfiltration path that should be monitored.
- Command Execution (LOW): The skill executes local TypeScript scripts using Bun. While the execution paths are relative to the skill directory, the content of the executed scripts remains unverifiable in this context.
Audit Metadata