ClawHub

孤舟小说工作室

Security checks across malware telemetry and agentic risk

Overview

This is mainly a novel-writing assistant, but it should be reviewed because it can persistently rewrite project files and even its own skill instructions.

Review before installing. Use it only in a project workspace you are comfortable letting the skill read and modify. Avoid or manually supervise the self-evolution feature that updates `SKILL.md`; require a visible diff and explicit approval before any skill-instruction, style-file, outline, memory, or report overwrite. Keep sensitive or unpublished manuscripts outside the workspace unless you intend the skill to process and persist them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The self-evolution section explicitly allows the skill to update its own SKILL.md, creating a self-modifying prompt surface. In an agent setting, this is dangerous because untrusted sample content or user-provided text could be incorporated into future instructions, causing persistent prompt injection or policy drift beyond the original novel-writing scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill advertises a feature that updates the skill itself, even though its primary function is novel writing and project management. Self-modification of the governing instruction file is a high-risk capability because it can permanently alter future behavior, expand scope, or embed adversarial instructions from samples or user input.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises very broad trigger phrases such as generic requests to write, research, continue, or check content, which can cause unintended module activation from ordinary user language. In an agent skill context, ambiguous routing increases the chance of surprising behavior, including invoking creation, QA, or long-form management flows when the user did not clearly consent to that action.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that the system supports project initialization, memory tracking, local backups, and automatic chapter saving, but does not clearly warn users about when files are created or modified. In a skill environment, undocumented write behavior can lead to unintended persistence of sensitive drafts, metadata, or user-provided content on local storage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger keywords are broad, common phrases such as '写一个故事', '修改', and '问题', which can easily appear in ordinary conversation and unintentionally activate this skill or the wrong module. In an agent environment, ambiguous auto-routing increases the chance of unintended tool invocation, mis-scoped handling of user requests, and confusing or unsafe execution paths.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The document states that the system will automatically recognize user intent and dispatch the most suitable tool, but it does not define clear activation boundaries, confidence thresholds, or fail-safe behavior. That ambiguity makes accidental activation and cross-module routing more likely, especially when user input contains mixed creative, editing, or review terms.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger words are extremely broad and overlap with common conversational terms such as '检查' and '质量', which can cause the skill to activate unintentionally during unrelated user requests. In an agent system, this increases the chance of unwanted execution paths, confusing behavior, or accidental file/report generation without clear user intent.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The module states that it writes QA reports to a filesystem path but does not mention notifying the user, obtaining consent, or explaining persistence behavior. This can lead to unexpected data retention and silent artifact creation, especially if the analyzed chapter content contains sensitive or unpublished material.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises very broad trigger phrases such as “QA一下”, “回归测试”, and “检查一下第X章”, which overlap with normal conversational language and can cause unintended activation. Because the skill may then read project files and write reports under reports/, accidental invocation can expose unrelated content to analysis or create unintended filesystem side effects.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are generic terms like '调研', '市场分析', and '竞品', which can appear in many normal conversations and may cause this module to activate without clear user intent to run a research workflow. Over-broad activation increases the risk of unintended routing, irrelevant data generation, or the wrong skill handling user requests, especially in systems that auto-select modules from keyword matches.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad, common phrases such as '大纲' and '人物设定', which can cause the module to activate during ordinary writing or discussion rather than only when the user explicitly intends to use this skill. In an agent system, accidental activation can redirect workflow, expose project context unnecessarily, or cause unintended file/project operations tied to the long-form management module.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger description includes broad everyday phrases such as writing or continuing a novel, which can cause the skill to activate in situations where the user did not intend file operations or strict workflow enforcement. Over-broad activation increases the attack surface by making accidental invocation and unintended context/file access more likely.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The '回归大纲' trigger lacks scope constraints, so a vague request could activate broad reading and synchronization across many chapters and metadata files. In a file-managing skill, ambiguous triggers are risky because they can lead to unintended bulk processing or writes without the user clearly specifying boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs creation and modification of multiple local files, but the trigger description does not clearly warn the user that invoking the skill can cause persistent writes. Hidden or under-disclosed write behavior is dangerous because users may intend a drafting conversation, not filesystem changes affecting project state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The self-evolution workflow states it will modify both references/writing-style.md and SKILL.md without a prominent warning or approval gate. This is especially dangerous because it enables persistent instruction and behavior changes, not just ordinary content updates, making prompt-injection persistence much easier.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The synchronization flow rewrites dagang.md by renaming sections and appending content, but does not require an explicit warning or confirmation immediately before the overwrite-style operation. Even if intended as archival, this mutates user-authored source material and can cause data integrity or workflow issues if triggered unexpectedly.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains very broad phrases such as '风格', '模仿', and '像...一样', which are common in ordinary user conversation and can cause the module to activate unintentionally. In an agent skill system, overly broad activation increases the chance of unexpected routing, unwanted style imitation behavior, and misuse in contexts where the user did not explicitly request this capability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module explicitly states it uses user-provided reference works, stores Style-DNA data, and evolves based on user modification history, but it provides no notice about retention, consent, or handling of potentially sensitive user content. This creates privacy and data governance risk because users may unknowingly provide copyrighted, personal, or confidential text that is then stored or reused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly allows overwriting existing files in styles/[作品名].md without requiring a confirmation prompt or versioning. This creates a real integrity risk: a mistaken or adversarially crafted 'learn/update' request could silently replace a trusted style reference, poisoning future writing tasks that rely on that file.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are very broad and match common generic writing requests, so the skill may be invoked in situations where the user did not specifically ask for this persona-style transformation. That can cause unintended routing, style hijacking, or misapplication of a niche author-imitation skill to ordinary writing tasks, which is a real scope-control issue even though it is not directly code-executing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs the agent to create a project directory tree and initialize project files, but it does not mention obtaining explicit user confirmation, constraining the write location, or warning that filesystem state will be changed. In an agent setting, undocumented file creation can lead to unintended writes, workspace pollution, or overwriting existing content if project names collide or paths are resolved unsafely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These steps describe saving chapters, generating QA reports, and updating memory files, including archival and current-state files, without disclosing that existing files may be overwritten or changed. In practice, this can silently alter project state, destroy prior drafts, or corrupt continuity data if the agent reruns steps or targets the wrong project.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal