ClawHub

FBS-BookWriter

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real long-form writing tool, but it also reads host profile/memory data and includes admin, commercial, publishing, preview-server, and self-evolution capabilities that need review before installation.

Install only if you are comfortable with a Node-based writing tool that can run local scripts, modify manuscript files, keep persistent memory, and read some WorkBuddy profile/memory data. Use it in a trusted project root, avoid running WeCom admin, publish, commercial ledger, or self-evolution commands unless you intend those effects, and review/disable host-profile, host-memory, and auto-preview behavior if you need tighter privacy or containment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (178)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The build script injects Mermaid from a public CDN into generated HTML and then renders that HTML in Puppeteer for PDF generation. This creates a supply-chain and network-dependency risk: a compromised CDN response, unexpected upstream change, or MITM in a weak trust environment could execute untrusted JavaScript during the build and affect document contents or the build host/browser context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The runtime hints explicitly state that scripts can read, write, and execute agreed commands in a user-trusted book root and warn that the host may expose arbitrary read/write and command execution capability without OS-level sandboxing. For a writing-focused skill, this materially expands the attack surface from document editing to host command execution, making prompt injection, path abuse, or host integration flaws much more dangerous.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The hostMemory configuration allows create, update, and delete operations, including deletion when the system detects 'user contradiction.' In a writing assistant, automatic deletion of memory/state is risky because ambiguous prompts, prompt injection, or misclassification can cause loss of project context or intentional erasure of records that may be needed for recovery and audit.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The workflow gives conflicting instructions for search-tool failure handling: one section says to immediately pause and notify the user, while another says to continue writing after timeout or rate limiting. In a skill that mandates web verification for factual freshness, this contradiction can cause silent downgrade to unverifiable output and mislead users about the reliability of generated content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The supplement adds payment-like capabilities such as balance checks, upgrade hints, purchase/recharge language, and a credits ledger that are outside the declared scope of a long-form writing skill. Scope drift like this is risky because it can trigger financially themed behavior unexpectedly, confuse users about the skill’s authority, and create a path for social-engineering or unauthorized monetization flows inside a non-financial skill.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Documenting the ability to query a local credits ledger and provide upgrade or purchase guidance is context-inappropriate for a book-writing assistant and creates unnecessary access to monetization-related state. In this skill context, that behavior increases the chance of misleading prompts, accidental disclosure of local ledger data, or coercive upsell behavior being triggered by normal conversation.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document states WeCom spreadsheet capability is read-only, yet the command matrix exposes admin-style operations including validation, initialization, and status management for scene packs. This creates a dangerous trust mismatch: operators or downstream tooling may assume the integration cannot modify remote state, while the documented tooling suggests write-capable or state-changing actions exist, increasing the risk of unauthorized changes or privilege misuse.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The document claims to be only lightweight delegation phrasing and not to execute APIs, yet it directs the host to inspect local configuration paths and run local scripts. This mismatch expands operational scope beyond passive guidance and can cause the agent to perform environment discovery and filesystem actions a user may not expect from a writing skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The guidance extends the skill from document-writing assistance into host-level multi-agent orchestration, including task routing, role restrictions, and write-path control. That broader authority increases the blast radius of the skill and can lead to unintended agent coordination or file operations outside the user's expected writing workflow.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Heartbeat monitoring, shutdown requests, and force-termination procedures introduce active control over other agents rather than passive writing assistance. In a writing skill context, these controls are not essential and can be abused to disrupt work, suppress agent output, or create unauthorized supervisory behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to write persistent host "system memory" entries containing book title, theme, target readers, author voice, terminology, and word-count goals. For a document-writing skill, persistent cross-session memory is not strictly necessary and creates an undeclared data-retention channel that can expose sensitive project information beyond the current task or session. The skill context makes this more dangerous because book projects may contain confidential ideas, unpublished content, or identifying author information.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The workflow mandates automatic web verification/network research during S0, even when the user may only be asking to start a writing workflow. Automatic outbound network activity is a capability expansion beyond basic document drafting and can disclose user topics, manuscript themes, or research interests to external services without clear prior approval. In this skill context, some research may be relevant, but making it automatic and mandatory increases privacy and policy risk.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document states a ban on silently substituting model knowledge during offline degradation, but later provides an inline annotation example explicitly saying the data source is model knowledge. That contradiction can normalize unsupported AI-generated content in a workflow intended for long-form publishing, increasing the risk of hallucinated facts being presented as research-backed material despite a disclosure tag.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The policy defines a self-enhancement/evolution engine that can fetch external knowledge and update capability modules over time. That creates behavior drift beyond the declared book-writing scope, increases the attack surface, and can let the skill modify future behavior in ways that are difficult to audit or constrain. In a writing skill, self-modifying capability logic is especially risky because it blends content generation with ongoing policy/capability changes.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The userMemoryIntegration block introduces cross-session access to host-side profile and memory files under ~/.workbuddy and project memory, then injects derived data into the book workspace. For a book-writing skill, this exceeds the minimum data needed for the task and creates privacy, consent, and data-boundary risks, especially if sensitive user profile content is reused across projects or sessions. The later smartMemory architecture reinforces persistent profiling and adaptive behavior based on accumulated user data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This configuration allows the skill to bridge data from a host-level user profile directory under the user's home folder and inject a digest into the book workspace. Even though it is marked opt-in and gated, it expands access beyond the declared long-document-writing scope into potentially sensitive personal memory files, creating a real risk of overcollection, privacy leakage, and unintended cross-project data exposure if the host script is present or the user consents without understanding the scope.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This configuration introduces broad smart-memory, user profiling, host bridge integration, and adaptive behavior that substantially exceeds a long-document writing skill's declared purpose. In this context, collecting and persisting user/workplace data without tight functional necessity increases privacy, scope-creep, and unintended surveillance risk, especially because it references host files and environment integrations outside the immediate writing workflow.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The self-enhancement/evolution block enables the skill to fetch external knowledge and modify its own methodology over time, which is materially outside the expected scope of a book-writing assistant. A network-driven self-modification path expands attack surface, can import low-quality or unsafe behavior, and undermines predictability and user trust even if framed as capability improvement.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Persistent user-profile and host-environment integration are not well-justified for the stated purpose of drafting books and long-form documents. Referencing sources like workbuddy://USER.md, IDENTITY.md, SOUL.md and monitoring local directories creates a meaningful risk of overcollection, exposure of sensitive personal/work context, and cross-context data use beyond user expectations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A network-driven self-improvement capability is context-inappropriate for a writing skill because it allows behavior changes based on fetched methodology rather than stable, reviewable functionality. This creates a pathway for prompt-surface expansion, malicious or low-integrity knowledge ingestion, and unauthorized broadening of the skill's operational role.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The restart path references an undefined variable `pool` when constructing the replacement agent, which will throw at runtime during health-check recovery. An unhealthy or attacker-influenced agent state that triggers this branch can disable self-healing and potentially crash or destabilize the pool manager, causing denial of service for the writing workflow. The skill context makes this somewhat more dangerous because the component is shared orchestration infrastructure, so a failure here can affect all pooled agents rather than a single task.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The agent performs actions beyond simple local document delivery: it registers releases, advances governance state, emits bridge events, and sends notification events. In a document-writing skill, these side effects can expose project metadata or trigger downstream workflows without clear user consent, making the capability boundary broader and riskier than the stated delivery/export role suggests.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The orchestrator sends external notifications via notifyBookEvent for chapter completion, quality pass, and book completion, which goes beyond a purely local writing/QC/export workflow. Even if the payloads are small, this creates undisclosed external data flows and metadata leakage about user projects, progress, and filesystem-associated book roots to an outside integration surface.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The workflow includes S6 'conversion and publish mapping' using DeployAgent, which extends the skill from document generation into delivery/publication behavior not clearly justified by the stated book-writing scope. This increases the attack surface because content or metadata may be transformed, routed, or exposed to downstream publishing targets without clear user intent or boundary controls.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The orchestrator defines two deployment stages (S5/S6 using DeployAgent) even though the skill is described as a long-form writing workflow. This capability mismatch is dangerous because it can enable unintended publishing, release, or external side effects that users and reviewers would not expect from a writing-only skill, increasing the risk of unauthorized content deployment or data leakage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal