Security audit

Solscribe

Security checks across malware telemetry and agentic risk

Overview

SolScribe is mostly a local book-writing tool, but it includes an under-disclosed unauthenticated localhost server that can read and modify manuscript data when run.

Install only if you are comfortable with a local manuscript manager that stores chapters, backups, and session logs on disk. Do not run server.py unless you need the HTTP interface; if you do, treat localhost:3847 as sensitive because other local software could read or change manuscript data through it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp1

High

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: This file implements an HTTP server and accepts local POST requests, which is a network capability not declared in the manifest permissions. Even though it binds to localhost, any local process can interact with it, creating an unintended control surface for chapter access, AI-driven write actions, and export operations.

Lp1

High

Category: MCP Least Privilege
Confidence: 75% confidence
Finding: The skill uses 'shell' capability that is not listed in its permissions. This may indicate deceptive intent or missing permission declarations.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill metadata presents a simple book-writing companion, but the documented behavior includes materially broader file operations such as deletion, session logging, backups, export, and an HTTP server. This mismatch can mislead users and reviewers about the true attack surface and data-handling behavior, increasing the chance that sensitive manuscript content is exposed or modified without fully informed consent.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script description explicitly states it backs up data and pushes to GitHub, which is functionality beyond a writing companion's declared scope and beyond the listed file.read/file.write permissions. Even if intended for convenience, undisclosed external synchronization can exfiltrate manuscript contents, metadata, or repository credentials and violates least-privilege expectations.

Scope Creep

High

Confidence: 96% confidence
Finding: The backup script invokes Python code that, per the comment and finding, performs GitHub synchronization despite the skill only declaring local file read/write permissions. Hidden or undeclared remote transmission is dangerous because it can send private drafts or tokens off-host, and users evaluating permissions would not reasonably expect network-capable behavior from this manifest.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill is described as a book-writing companion, but this file also runs a background HTTP daemon that accepts commands. That hidden interface increases attack surface and can mislead users or reviewers about how the skill can be invoked, making abuse by other local software more likely.

Scope Creep

High

Confidence: 98% confidence
Finding: The code opens a listener on localhost:3847 despite the manifest declaring only file.read and file.write permissions. This mismatch means the skill exposes a privileged control API outside the declared permission model, allowing local applications to trigger reads, writes, chapter retrieval, and export behavior without explicit user awareness.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The comment states that chapter revision preserves existing content and appends a new revision, but the code actually calls revise_chapter with only the new content, replacing the chapter body. In a writing assistant with file.write capability, this mismatch can cause unexpected data loss when a user believes they are performing a non-destructive revision.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The docstring states chapters are 'NEVER overwritten' and 'permanent', but the implementation includes update and delete flows that rewrite or remove chapter files. This mismatch is dangerous because users or downstream agents may rely on the safety guarantee and perform actions assuming content is immutable, leading to unintended data loss or destructive behavior.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Using plain text as a catch-all trigger means ordinary conversational input may be interpreted as a command to append content or create a chapter, causing unintended writes to disk. In a skill with file.write permission and automatic filing behavior, ambiguous activation increases the risk of silent data corruption, privacy-sensitive logging, and accidental creation of persistent records from unrelated messages.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The statement that Amre can send content 'however is convenient' and that SolScribe will file it into the right chapter leaves activation boundaries unclear. That ambiguity is dangerous because the skill may ingest messages from mixed contexts and persist them to chapter files or session logs, especially given the strong privacy claims and broad local write behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The export endpoint writes a DOCX file to the user's Documents directory when invoked, but this side effect is not disclosed in this file's interface and can be triggered over the local HTTP server. In context, the write is expected for a writing tool, but the combination of silent filesystem output and unauthenticated local invocation makes it abusable by other local processes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: `delete_chapter` permanently removes both the chapter record and its on-disk file without any built-in confirmation, soft-delete, or safety interlock. In a writing assistant handling valuable manuscript data, accidental or induced invocation could cause immediate loss of user content, with recovery dependent on backups that may not be obvious or complete.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The session logger stores full user prompts and assistant responses verbatim in plaintext markdown files, creating persistent local copies of potentially sensitive manuscript content, personal data, or confidential notes. In the context of a private book-writing tool, this increases exposure because users may reasonably expect content to reside only in chapter files, not duplicated in separate logs.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal