lobster-novel

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real novel-writing tool, but it sends manuscript/project content to external LLM services and includes under-scoped code-execution paths that need review before installation.

Install only if you are comfortable with your novel bible, outlines, chapter drafts, continuity notes, and review context being sent to external LLM providers including SenseNova and DeepSeek. Use scoped API keys, avoid running it on confidential manuscripts unless you have reviewed provider terms, and do not set NOVEL_DIR or LOBSTER_EVOLVER to untrusted directories. Treat the self-evolving lesson bridge and optional sync behavior as high-impact until it is documented and constrained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """调用 bridge_to_self_improving 同步到 ~/self-improving/""" if BRIDGE_SCRIPT.exists(): import subprocess result = subprocess.run( [sys.executable, str(BRIDGE_SCRIPT)], capture_output=True, text=True, timeout=30) print(result.stdout)
Confidence: 95% confidence
Finding: result = subprocess.run( [sys.executable, str(BRIDGE_SCRIPT)], capture_output=True, text=True, timeout=30)

Tainted flow: 'BRIDGE_SCRIPT' from os.environ.get (line 22, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: """调用 bridge_to_self_improving 同步到 ~/self-improving/""" if BRIDGE_SCRIPT.exists(): import subprocess result = subprocess.run( [sys.executable, str(BRIDGE_SCRIPT)], capture_output=True, text=True, timeout=30) print(result.stdout)
Confidence: 98% confidence
Finding: result = subprocess.run( [sys.executable, str(BRIDGE_SCRIPT)], capture_output=True, text=True, timeout=30)

Tainted flow: 'QC_SCRIPT' from os.environ.get (line 15, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def run_qc(path): import subprocess r = subprocess.run(["python3", str(QC_SCRIPT), str(path), "--json"], capture_output=True, text=True, timeout=30) if r.returncode == 0 and r.stdout.strip(): return json.loads(r.stdout)
Confidence: 91% confidence
Finding: r = subprocess.run(["python3", str(QC_SCRIPT), str(path), "--json"], capture_output=True, text=True, timeout=30)

Tainted flow: 'QC_SCRIPT' from os.environ.get (line 16, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def run_qc(path): import subprocess r = subprocess.run(["python3", str(QC_SCRIPT), str(path), "--json"], capture_output=True, text=True, timeout=30) if r.returncode == 0 and r.stdout.strip(): return json.loads(r.stdout)
Confidence: 91% confidence
Finding: r = subprocess.run(["python3", str(QC_SCRIPT), str(path), "--json"], capture_output=True, text=True, timeout=30)

Tainted flow: 'QC_SCRIPT' from os.environ.get (line 17, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: def run_quality_check(chapter_path): import subprocess result = subprocess.run( ["python3", str(QC_SCRIPT), str(chapter_path), "--json"], capture_output=True, text=True, timeout=30 )
Confidence: 88% confidence
Finding: result = subprocess.run( ["python3", str(QC_SCRIPT), str(chapter_path), "--json"], capture_output=True, text=True, timeout=30 )

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The agent advertises itself as rule-based, but in __init__ it dynamically loads and executes Python from project_dir/review/aigc_detect.py via importlib and exec_module. If an attacker can modify project contents or influence the project directory, this becomes arbitrary code execution in the agent process, which is substantially more dangerous than the docstring suggests.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script reads substantial local material from bible.json, prior chapter files, and generated scene-verifier output, then sends that content to a third-party LLM service for chapter generation. Even if this is part of functionality, it creates a data-leakage risk because there is no consent flow, minimization, classification check, or redaction before transmission.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill includes an operational feature that executes an external bridge script, expanding its capabilities from local lesson processing into arbitrary secondary code execution. In the context of an agent skill, this increases risk because the external script may be changed independently, may not be reviewed together with this file, and is triggered through a simple CLI flag.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The docstring materially understates the script's behavior by implying only local content generation steps, while the code actually transmits project-derived content to an external LLM service. This can mislead operators into exposing story content, prompts, or other project data to a third party without informed consent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script transmits generated world-building prompts and chapter content to an external LLM service using an API key, but the file provides no manifest, consent flow, or documented justification for remote processing. In an agent-skill context, undisclosed third-party transmission can leak user content, proprietary material, or sensitive project data outside the local environment.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill loads API credentials from environment variables and is capable of sending data to external services, but the provided context includes no manifest or user-facing declaration that networked credential use is required. In an agent-skill setting, undeclared external connectivity and secret use can surprise operators and violate least-privilege expectations.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The call_llm function transmits prompts and model inputs to third-party LLM endpoints. Because the skill's purpose/manifest is unavailable, this creates an unjustified remote-data-transfer capability from local project content to external providers.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The deep-review path sends chapter text, continuity summaries, hook status, and character-state data to an external LLM. That substantially broadens exfiltration risk because it can disclose large portions of project content and internal state, which may be proprietary or sensitive.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The script reads DEEPSEEK_API_KEY into the module-level DEEPSEEK_KEY once, then later loads a value from .env only into os.environ without refreshing DEEPSEEK_KEY. This can cause requests to be sent with an empty or stale Authorization header, leading to authentication failure and potentially confusing operators into believing the API call is properly authenticated when it is not.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README explicitly directs users to use an external API key and describes auto-writing through SenseNova, but it does not warn that prompts, manuscript content, summaries, or project metadata may be transmitted to a third-party service. In a novel-writing skill, users may input unpublished or sensitive creative material, so the omission can lead to unintended data disclosure and compliance/privacy issues rather than direct code-execution risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly advertises auto-writing via the SenseNova API and requires an API key, but it does not warn users that chapter drafts, prompts, plot context, or other novel content may be transmitted to a third-party service. This creates a real privacy and data-governance risk, especially if users include unpublished, proprietary, or sensitive material in their projects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code transmits prompts containing world data and chapter context to an external API without any visible disclosure, confirmation, or policy gate. In a skill context, this is dangerous because operators may not realize local project contents are being exported to a remote service, increasing confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code sends assembled project and story content to an external LLM endpoint without any explicit consent, warning, or disclosure in this file. That can expose proprietary manuscripts, world-building notes, character data, or other sensitive project material to a third-party service, which is a real data-governance and confidentiality risk even if the transmission is intentional for functionality.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script transmits user/project content such as volume summaries, character progression, and encounter details to a third-party API without any explicit consent prompt, warning, or redaction step. If the input contains unpublished or sensitive material, this can cause unintended data disclosure outside the local environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code sends chapter summaries, world rules, location data, and character context to an external DeepSeek API, but the file contains no consent, notice, redaction, or policy gate around that transfer. If the project content is private, proprietary, or user-supplied, this creates a real data exposure risk to a third party service.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script silently reads a sensitive API credential from the environment and uses it without notifying the operator. In an agent-skill context, undisclosed credential use is dangerous because users may not realize the skill depends on external services or that stored secrets will be exercised on execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends assembled prompts containing project content, character data, and generated text to a third-party LLM endpoint without any explicit notice or consent mechanism. In a skill setting, this creates a real data-exfiltration/privacy risk because locally supplied content may be sensitive or proprietary and is transmitted off-host by default.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The function sends prompts and generated story content to an external API without any user-facing disclosure in the script's description, comments, or runtime messaging. In a skill environment, silent network transmission is dangerous because operators may assume local-only processing while their content is actually being sent to a third party.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The script reads an API credential from an environment variable without visible disclosure about credential use. While reading a secret from the environment is common practice, failing to document that the skill requires and consumes a credential can surprise users and lead to accidental misuse in shared or automated environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends prompts containing project-derived content, including the loaded Bible data and generated outline material, to the external DeepSeek API without any consent gate, redaction, or explicit disclosure to the operator. In this context, outbound transmission to a third-party LLM can expose proprietary or sensitive creative/project data and may violate expected data-handling boundaries.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal