Back to skill

Security audit

multi-agent-writer

Security checks across malware telemetry and agentic risk

Overview

This writing skill is mostly transparent about its purpose, but its installer pulls mutable remote code, installs Python dependencies, and registers itself across multiple local agent environments.

Install only if you are comfortable trusting the external GitHub repository and its Python dependencies at install time. Prefer an explicit target such as --agent openclaw instead of automatic or all-agent installation, review the cloned code before running production mode, use a dedicated LLM API key, and avoid sending sensitive unpublished content to the configured search or LLM providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares only Bash and Read tools, but its documented behavior includes network-dependent operations such as DuckDuckGo searches and outbound LLM API calls. This undeclared capability weakens operator visibility and permission boundaries, making it easier for data to be transmitted externally without an explicit permission declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The static finding indicates the skill does substantially more than its stated content-generation purpose, including repository cloning, package installation, skill registration into agent directories, symlink creation, and deletion/uninstall behavior. That mismatch is dangerous because users may invoke a seemingly harmless writing skill while it performs supply-chain, persistence, or filesystem-modifying actions outside the expected trust boundary.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer clones or updates remote code and then runs pip install against that repository's requirements, which performs system-changing actions beyond a simple skill registration step. This creates a software supply-chain risk because unpinned or later-modified upstream code and dependencies can execute arbitrary install-time behavior on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script installs itself into multiple agent-specific skill directories, expanding its reach across unrelated tools without strong need for a content-generation skill. Broad cross-agent registration increases blast radius if the skill or its future updates are unsafe, and can surprise users by modifying more of their environment than expected.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The README documents `uninstall.sh --all` as deleting project code but does not clearly warn that this is a destructive operation. In a skill-installation context, users may run cleanup commands quickly, and ambiguous wording can lead to accidental deletion of local project data or symlinked content if the uninstall logic is broader than expected.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are very broad, covering essentially any article or content-creation request. Overbroad activation increases the chance that the skill runs in unintended contexts, which becomes riskier when the skill also has shell access and network-facing behavior, potentially causing unreviewed external calls or side effects during routine writing tasks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer silently fetches code from GitHub and installs Python dependencies without an explicit warning, dry-run summary, or confirmation prompt. That behavior materially changes the system and exposes users to remote code execution and dependency compromise with limited transparency.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:77