Back to skill

Security audit

novel-bug-checker v2

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a novel-review tool, but some included templates and examples expand into host diagnostics, cross-skill execution, and publishing-style actions that users should review first.

Install only after reviewing the bundled templates and being comfortable with local report/log creation and the optional novel-master integration. Treat the repair, publishing, reader notification, and system-diagnostic sections as out of scope unless you explicitly authorize those actions in a separate workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read user files, optionally write output files, and access environment-scoped paths/scripts, but it declares no permissions or constraints. This creates a capability/permission mismatch that can lead to overbroad file access or unintended data exposure because the runtime and reviewer are not told what resources the skill needs.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The v2 section expands this skill from analyzing a supplied novel into reading `~/.qclaw/workspace/novels/...` state files and executing scripts from a different skill (`novel-master`). Cross-skill filesystem and code access is dangerous because it breaks isolation, can expose unrelated workspace data, and allows this skill to trigger external code paths that are outside its stated trust boundary.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is described as a novel bug checker, but this example teaches it to diagnose software/API compatibility failures, including JSON deserialization errors and client update actions. That scope expansion can cause the agent to engage in unintended technical troubleshooting beyond its declared purpose, weakening least-privilege expectations and increasing the chance of unsafe or misleading actions in a context users would not expect.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script writes a log file, saves reports, creates output directories, and generates image files as side effects of analysis. In a skill presented as a checker/analyzer, undisclosed file-system writes can expose sensitive novel content in logs/reports, overwrite user files if paths are attacker-controlled, and violate least-surprise expectations in sandboxed agent environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template claims to support novel bug checking, but embeds extensive host and runtime diagnostics that are unrelated to that purpose. This creates unnecessary exposure of environment metadata and encourages collection of potentially sensitive system details without a clear functional need, increasing privacy and information disclosure risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documented collection of network state, kernel logs, radio logs, process lists, and thread information is unjustified for a novel-quality checking skill. If implemented, this could leak sensitive host telemetry, local network details, and process activity, materially expanding the skill's access beyond its stated purpose.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The embedded Python example operationalizes generation of system information and error telemetry rather than novel-specific analysis, which normalizes and facilitates over-collection. Even as an example, it provides implementation guidance that could cause downstream users to build a skill that accesses unrelated host data.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The template materially exceeds the declared scope of a checker-only skill by prescribing repair, release, notification, workflow execution, and even code-oriented implementation guidance. In an agent system, this kind of scope drift can cause the agent to take unauthorized content-modification or publishing actions instead of limiting itself to inspection and reporting, which is a real integrity and authorization risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
These sections instruct operational actions such as publishing repaired versions, updating work descriptions, and notifying readers, none of which are justified for a bug-checking skill. If an orchestrating agent follows this template literally, it could trigger unauthorized outward-facing actions and create integrity, reputational, and workflow abuse risks.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
Labeling the file as a repair-skill summary report conflicts with the manifest's stated checker identity and can mislead routing, prompting, or downstream operators about what the skill is allowed to do. That mismatch increases the chance of unsafe execution paths where a read-only analysis skill is treated as a remediation actor.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrasing is broad and does not define what inputs are in-scope, out-of-scope, or when the skill should refuse activation. In an agent setting, ambiguous triggers can cause over-invocation on adjacent tasks, leading to accidental processing of unrelated content or execution of behavior outside the intended novel-review function.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that reports are saved to local files and artifacts are generated, but it does not disclose that this implies write behavior. In an agent environment, undocumented file writes can violate user expectations, overwrite data, leak sensitive content into persistent storage, or be abused to create unauthorized artifacts on the host.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.