ClawHub

12agent Novel

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Chinese long-form novel writing workflow that uses project files and sub-agents as advertised, though users should understand its background-agent and local-config access before installing.

Install only if you want a structured Chinese novel-writing system that can create and modify many project files and use sub-agents for drafting, review, summaries, and feedback. Review the model configuration step if your OpenClaw config contains credentials, and avoid auto-advance/background workflows for sensitive manuscripts unless you are comfortable sending that content to the configured model providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read user-level and system-level OpenClaw configuration files (`~/.openclaw/openclaw.json`, `./openclaw.json`, `/etc/openclaw/openclaw.json`) to enumerate available models. For a novel-writing initializer, this reaches beyond project-local inputs into potentially sensitive environment configuration, disclosing installed providers/models and normalizing access to global files without strict necessity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The optimization launches a background session that includes project metadata such as title, genre, and tone, but the design does not describe any explicit user notice, consent, or visibility into what is being sent to the parallel worker. In an agent skill, hidden background processing can expose sensitive draft material or user-provided story concepts to additional model contexts without the user's awareness, making this a real transparency and data-handling issue.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The template explicitly instructs the coordinator to prepare all pending changes in memory and then perform all file modifications in one batch, affecting multiple project files without any built-in requirement for explicit user confirmation at execution time. In an agent skill, this increases the risk of unintended mass modification, especially if the chapter state is wrong or the agent misinterprets context, because a single action can overwrite or append across core metadata, workflow state, trackers, and archives.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The file explicitly states that output should always use the target language and defaults that target language to Chinese, which can override or constrain user language preference. In an agent skill, hard-coding a default language without clear user opt-in can cause instruction-priority conflicts, unexpected behavior, and reduced user control over outputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document directs the agent to create a full project directory tree and populate multiple files under `projects/<项目名>/` without an explicit warning or consent step for filesystem modifications. Even if the changes are expected for setup, silent file creation can overwrite user expectations, clutter storage, or write into unintended locations if the project name/path is mishandled.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill reads `openclaw.json` from user and system locations without a clear privacy notice or explicit consent. These files may reveal provider choices, model inventory, and other environment details unrelated to the immediate writing task, creating unnecessary privacy exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly reads multiple project documents (worldbuilding, character files, outline, and style-anchor preferences) and sends their contents to another agent via `sessions_spawn`, but the skill metadata/description shown to users does not warn about this cross-document data transfer. This can expose sensitive or proprietary manuscript content to a secondary model execution context without informed user consent, which is a real transparency and data-handling weakness even if the feature is functionally intended.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The flow states that the user's selected style sample will be saved to `meta/selected-style-sample.md`, but this persistence behavior is not disclosed in the skill description. Undisclosed writes are a legitimate safety concern because users may not realize their choice and generated text will become part of project state and influence later phases.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file explicitly instructs spawning asynchronous child agents that receive the full text of the last five chapters, and it does so without any user-facing disclosure, consent step, or data-minimization control. In a writing workflow, chapter text may contain unpublished, sensitive, or proprietary material, so silently forwarding it to sub-agents increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to update multiple project files, including metadata, chapter content, and tracker documents, but does not require any user-facing confirmation or warning before those writes occur. In an agentic environment, this can lead to unintended or overbroad modification of user project state, especially because the workflow frames the writes as mandatory and part of a closed loop.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This workflow explicitly instructs the agent to modify multiple project files and even trigger asynchronous agents that may write results, but it does not require any user-facing confirmation or warning before altering user data. In an agent setting, this can lead to unintended or surprising persistence, broad state changes, and hard-to-reverse modifications if the workflow is invoked incorrectly or with stale context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The chapter rewrite flow performs persistent writes to multiple project files, including replacing chapter content, updating metadata, and appending to archives, without requiring an explicit user acknowledgment at the point of modification. In an agentic system, this increases the risk of unintended destructive edits or silent state drift, especially when a user request is ambiguous or narrower than the full documented write set.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The cascade consistency process writes to tracking and workflow state files and may queue future rewrites, but it only mentions user choice for downstream chapter handling, not for the persistent state changes themselves. This can create silent long-lived project mutations that alter future agent behavior, resume flows, and maintenance prompts without clear informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal