Back to skill

Security audit

番茄小说自动创作发布一条龙

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built to publish novel chapters to a live Fanqie author account, but it lacks clear safeguards around account credentials and live public posting.

Install only if you intentionally want an agent-assisted workflow to act through your Fanqie writer account. Review generated chapters manually before publishing, protect the Fanqie cookie file like a password, verify the separate fanqie-publisher dependency, and avoid batch or automatic publication unless you are comfortable with live external changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes automatic posting of generated chapters to a live publishing platform, but it does not warn users that this is a write action affecting a real account and publicly visible content. In this skill context, the omission is more dangerous because the core purpose is end-to-end generation plus publication, so a user may trigger irreversible or reputation-impacting actions without understanding account, policy, or content risks.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README instructs users to log into a writer account but provides no warning about handling authenticated sessions, account permissions, or privacy/security implications. This is risky in context because the skill later uses that authenticated state to perform external actions on the user's publishing account, increasing the chance of accidental misuse or exposure of account access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly advertises an end-to-end pipeline that goes from idea generation to automatic publication on an external platform, but it does not prominently warn users that generated content may be published automatically. This creates a real risk of unintended external actions, including accidental publication of low-quality, sensitive, copyrighted, or policy-violating material, especially because the workflow framing emphasizes one-click automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation references a cookie file used for publication but does not warn that it contains sensitive authentication material. Users may mishandle, expose, or commit this file, enabling account takeover or unauthorized publishing if the cookie is stolen.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.