Security audit

Wanxiang Scroll Core

Security checks across malware telemetry and agentic risk

Overview

This appears to be a story/plot-management skill, but it needs review because it describes hidden persistent notes and open-ended narrative commands without clear user controls.

Install only if you are comfortable with the skill keeping hidden story-planning state across sessions. Before using it with personal, sensitive, or private writing, look for clear commands to view, export, reset, and delete hidden notes, and prefer explicit user confirmation before resets, role changes, or dynamically introduced commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This file exposes commands that can arbitrarily create objects, generate characters, alter roles, reset scenes, and mutate world state beyond the declared scope of a 'core protocol, style switching, and plot management' skill. In an agent setting, undocumented state-changing capabilities increase the risk of prompt-surface expansion, unexpected side effects, and misuse by users or downstream orchestrators that trust the manifest to describe allowed behavior.

Context-Inappropriate Capability

Low

Confidence: 82% confidence
Finding: The documented hidden note/foreshadow recording feature creates concealed state that is not apparent from the manifest description and may not be visible to the user. Hidden memory-like mechanisms can be abused to store instructions, misleading context, or sensitive user content without sufficient transparency.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The document describes a 'hidden floor' feature as content not shown to the user, yet also states that it is persisted in SQLite across sessions. Concealed, durable storage creates a trust and privacy risk because users may not realize information can be retained and influence future behavior outside the visible conversation context.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Allowing the system to 'temporarily generate specific commands according to plot needs' without strict constraints creates an open-ended instruction surface. This can bypass the otherwise enumerated command set, weaken safety assumptions, and enable ad hoc privileged behaviors that were never reviewed or documented.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger for generating a new summary is described with vague conditions such as when the plot has progressed 'a certain distance' or when context is 'too long'. In an agent skill, ambiguous triggers can cause unintended invocation, premature interruption of normal output, and accidental disclosure or over-compression of narrative state, which can degrade reliability and enable prompt-manipulation through loosely matching user requests.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The full-summary mode is triggered by broad phrases like needing a complete review, entering a new chapter, or context being too long, without precise boundaries on what content is included. This can cause the agent to collapse or expose more conversation state than intended, especially because the instructions say to stop other output and produce a comprehensive merged summary.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Persistent hidden storage is documented without a clear warning that concealed content is retained across sessions. This is dangerous because it can undermine user expectations, enable silent accumulation of sensitive or manipulative context, and reduce transparency around how the agent's behavior is shaped over time.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal