Security audit

mumu-ai-novel

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MuMu novel-management skill, but it can log in to MuMu and publish or overwrite chapters when those review commands are run.

Install only if you trust the MuMu server and want an agent to actively manage a novel project. Set MUMU_API_URL, MUMU_USERNAME, and MUMU_PASSWORD explicitly, prefer a limited-purpose account, leave MUMU_SESSION_FILE unset unless you can protect that file, and double-check project_id and chapter_id before approving or rewriting because those actions can publish changes immediately.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The client defaults to hardcoded administrative-looking credentials via environment fallbacks (`admin` / `admin123`) and automatically uses them to authenticate. In an agent skill context, this is dangerous because it enables silent access attempts against a local or configured service and may succeed if default credentials are still active, leading to unauthorized access.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script claims to surface unaudited or review-relevant chapters, but it fetches the full chapter list and prints both metadata and content previews for all matching statuses, including completed chapters. This broadens data exposure beyond the implied scope and can leak sensitive story content or finalized chapters to anyone running the tool or collecting its output.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The CLI description suggests a narrow review-candidate listing, but the implementation intentionally reads and later outputs the full chapter list. This mismatch is dangerous because operators may trust the tool's description and unknowingly disclose more project data than expected in logs, terminals, or downstream automation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly supports rewriting chapters in a way that officially overwrites and publishes them, but it does not present a prominent warning or confirmation step before destructive publication. In a shared or automated agent setting, that can cause irreversible content loss, accidental publication, or tampering with existing chapters through a routine review flow.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Session cookies are persisted to a file path controlled by `MUMU_SESSION_FILE` without permission hardening, encryption, or user disclosure. If another local user, process, or agent can read that file, they may hijack the authenticated session and access the associated account without needing the password.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code automatically reads credentials from environment variables and sends them in a login request, with no explicit user consent or transparency about credential use. In a shared agent/workspace environment, this can cause unintended credential use and exposure to an unexpected endpoint if `MUMU_API_URL` is changed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Both the approve and rewrite paths immediately issue remote PUT requests that publish a chapter, and the rewrite path also overwrites content in the same step. This creates a meaningful risk of accidental irreversible state changes from operator error, bad prompt chaining, or unsafe automation, especially because the skill is designed for batch editorial workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.