ClawHub
Back to skill

Security audit

Novel Bug Checker

Security checks across malware telemetry and agentic risk

Overview

The core novel-review skill is recognizable, but bundled templates and examples expand into software troubleshooting, system diagnostics, and publishing actions users would not expect.

Review this before installing. Use it only for local novel text analysis, avoid giving it real system logs or environment diagnostics, and be careful with generated report/log files because they may persist novel content or local details. Do not treat its templates as authorization to publish revisions, contact readers, or make operational changes without separate explicit user approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to install dependencies and run local Python scripts that read input files and optionally write output files, but it declares no permissions. This mismatch can lead to undeclared file and environment access, reducing transparency and allowing broader execution than a reviewer or runtime policy might expect.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill is scoped as a novel bug checker, but this example pivots into real software/API failure diagnosis and release remediation guidance. That scope expansion can cause the agent to engage in unintended technical troubleshooting workflows, increasing the chance of unsafe assistance, tool misuse, or bypass of domain-specific safeguards that would normally apply to software engineering tasks.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file shifts from novel-quality review into software debugging methodology, including error messages, code snippets, runtime context, and reproduction steps. This expands the skill beyond its declared scope and can cause an agent to solicit or process technical system data that users would not expect to provide to a novel-review skill, increasing prompt-scope confusion and possible data overcollection.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The content explicitly teaches handling code-related errors and system-exception analysis despite the skill being presented as a novel bug checker. In context, this mismatch is dangerous because it may induce the agent to accept source code, logs, and operational details under an unrelated persona, which can bypass user expectations and create unintended capability expansion.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template for a novel bug-checking skill includes broad host diagnostic content such as crash traces, memory stats, process listings, filesystem details, and network state that are unrelated to the declared skill purpose. This creates unnecessary data exposure and can leak sensitive environment information if generated from a real host, expanding the skill from content analysis into system reconnaissance.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Including IP addresses, gateway, interfaces, and route tables in a report for a novel-analysis skill is unjustified and exposes operational network details. Such information can aid lateral movement, environment fingerprinting, or targeted follow-on attacks if the report is shared, logged, or exfiltrated.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The template contains detailed system properties, process lists, memory maps, VM traces, filesystem layout, and runtime errors that far exceed the needs of checking novel logic or pacing. In practice, this can disclose sensitive host metadata, usernames, paths, installed components, and stack traces useful for attack planning or privilege escalation.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file is framed as a harmless novel bug-fix report, but the embedded example script gathers runtime environment details, writes logs, and saves reports to disk. This mismatch between stated purpose and actual behavior can mislead reviewers and users, increasing the risk that excessive data collection is accepted without scrutiny.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The template is materially misaligned with the declared skill purpose. The manifest says the skill checks novels for bugs and provides reports, but this file instructs or implies broad repair, publication, release management, reader notification, workflow ownership, and direct content modification, which can cause an agent to exceed intended authority and perform unauthorized actions. In an agentic system, this scope drift is dangerous because downstream orchestration may trust template capabilities and let the skill alter content or trigger operational actions the user did not request.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This section expands the skill into release engineering, publication coordination, reader communication, and task management, none of which are necessary for a novel bug-checking skill. Even if no executable code is present, these instructions can steer an agent into unauthorized operational behavior, creating a confused-deputy problem where a content-analysis skill influences external workflows or communications.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase encourages activation on a very common request like '帮我检查这段小说的逻辑漏洞', which can overlap with ordinary user prompts and cause the skill to activate too broadly. Overbroad triggering increases the chance of unintended routing, prompt interception, or the skill influencing conversations where the user did not explicitly choose this tool.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The example uses a generic activation pattern without defining precise entry conditions or exclusions. Ambiguous triggering can cause the skill to activate on broad writing-review requests and produce responses outside intended scope, which is a prompt-routing and policy-boundary weakness even if it is not directly exploitable as code execution.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The repeated '[激活小说Bug检查技能]' pattern across broad examples reinforces that the skill may self-activate on general review prompts rather than only on tightly scoped fiction-analysis tasks. This makes misrouting more likely and can lead to overbroad behavior or interference with other, more appropriate skills.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples state that reports are saved and files are generated, but provide no warning, consent model, or output-location constraints. If an implementation follows this behavior, it could create unexpected filesystem side effects, overwrite files, or leak sensitive content into persistent artifacts without the user's informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal