Back to skill

Security audit

Manju Script Generator

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised script generation, but it sends manuscript and character content to a local LLM HTTP endpoint without clearly telling the user first.

Review before installing. Use this only with manuscript content you are comfortable sending to the configured local LLM service, and verify what is running on 127.0.0.1:18789 and whether it forwards requests to an external provider. Prefer adding explicit consent, endpoint configuration, and a no-network mode before handling private or unpublished work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises executable usage that reads input files, writes output files, and—per the correlated static finding set—has network capability, yet no permissions are declared. Undeclared capabilities are dangerous because they prevent users and enforcement layers from understanding that sensitive novel text and character data may be accessed, persisted, or transmitted.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is script generation, but the behavior also sends user-provided novel and character data to an HTTP LLM service and writes multiple artifacts to disk without making that data flow explicit in the primary description. This is dangerous because users may provide copyrighted, private, or commercially sensitive manuscript content under the assumption it is processed locally and only used to produce a script, when it may instead be disclosed to another service and retained in files.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script transmits the full novel text and character metadata to a chat-completions service over HTTP on 127.0.0.1 without any disclosure or consent step. Even though this may target a local service, it still exports potentially sensitive user content outside the core local processing path, which creates privacy and data-handling risk and can expose data to other local processes, proxies, or misconfigured port-forwarding.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-supplied novel text and character data are sent to an LLM endpoint without any explicit warning, consent, or data-classification check. This is dangerous because users may provide unpublished manuscripts or personal data in character descriptions, assuming the tool is local, and the transfer can lead to unintended disclosure or retention by another service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.