ClawHub

小说家 — 网文写作全流程技能

Security checks across malware telemetry and agentic risk

Overview

This is a fiction-writing helper that stores project notes locally for continuity, with no scripts, network access, or credential use.

Install only if you are comfortable with novel ideas, drafts, character notes, and plot tracking being saved under memory/{project name}/ for later reuse. Avoid storing highly sensitive personal or proprietary material there unless you are prepared to inspect, edit, or delete those local files yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly writes user-supplied project content into persistent local memory files and tells the user the content has been archived, but it does not clearly disclose retention, scope, or privacy implications before storing data. This creates a real privacy and consent issue because users may provide unpublished manuscripts, personal notes, or sensitive creative material without realizing it will persist across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to read persistent project files across sessions, which implies cross-session retention and reuse of user content, but it gives no privacy or data-handling warning. That is dangerous because prior user data may be surfaced or reused unexpectedly, including sensitive or proprietary writing content, without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill generates a hidden tracking card and appends it to persistent project memory without explicit notice, meaning it stores inferred metadata about plot state, emotional state, and reader expectations that the user may not realize is being retained. Hidden persistence is particularly risky because it undermines transparency and can capture derived or sensitive information beyond the user's visible prompt.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal