Security audit

Time Weaver

Security checks across malware telemetry and agentic risk

Overview

This writing skill is review-worthy because it makes online chapter publishing and plaintext API-key storage part of the normal workflow rather than a clearly separate opt-in step.

Install only if you are comfortable with generated chapters being uploaded to the Time Weaver website and with an API key stored locally in plaintext. Before using it, disable or avoid the auto-publish flow, confirm every upload manually, and consider using a throwaway or least-privilege API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The workflow includes automatic chapter publication to an online platform even though the skill is framed primarily as exploratory interactive writing. Automatic publication changes the risk profile substantially because unpublished drafts, private notes, or sensitive story content may be sent outside the local environment without a deliberate publication step.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Online publishing is not clearly necessary to fulfill the stated purpose of helping users write branching fiction. When networked side effects are bundled into a creative-writing flow without clear justification, users are more likely to trigger unintended external disclosure of drafts and metadata.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill’s documented purpose is chapter generation, but it also embeds a mandatory workflow to save and publish content externally. That expands the trust boundary from local drafting to external distribution without clear consent gating, creating a real risk of unintended disclosure of user content or sensitive story/project data.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: This section specifies an immediate publish command to an external website as part of the normal workflow, even though external publication is not necessary for exploratory novel writing. Because the command transmits generated chapter content off-system, it can expose unpublished intellectual property or user-provided material without meaningful review or approval.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill specifies automatic creation of book directories and repeated updates to WORLD.md, CHARACTERS.md, PLOT.md, and chapter files without warning the user about local persistence. Silent writes can expose sensitive drafts, overwrite user data, and leave behind a detailed record of prompts and creative content on disk.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The documented CLI command publishes chapter content externally without any privacy warning, destination disclosure, or explicit approval step. This is dangerous because manuscript text, embedded notes, and possibly metadata from local files can be transmitted to third-party services unexpectedly.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill mandates that generated chapters be saved and then immediately published, but it does not warn the user that their content will be sent to an external service. In a writing assistant context, this is especially dangerous because users reasonably expect drafting help, not automatic public disclosure of unpublished work.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires automatic file creation and updates to multiple persistent state files without informing the user about local filesystem modifications. This can lead to unexpected persistence of generated content, metadata, and progress records, which is a security and privacy concern in environments where users expect ephemeral assistance.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill states that character archives are updated automatically after each chapter, but it does not require explicit user notice or confirmation before modifying stored data. In an agent environment, silent writes to persistent files can overwrite user-authored content, introduce inaccurate state, or normalize unauthorized persistence without the user's awareness.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation phrase "导出小说为电子书" is generic and overlaps with ordinary user intent, so the skill may trigger when a user is merely discussing exporting rather than explicitly invoking this sub-skill. In an agent environment, overly broad triggers can cause unintended file access, chapter aggregation, or output generation without sufficiently clear user confirmation.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The custom export example allows flexible natural-language parameters but does not define clear boundaries for when the skill should activate versus when the user is simply describing a story or publication preference. This ambiguity increases the chance of accidental invocation and unintended processing of local content or metadata.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The manual trigger phrase "发布我的小说" is broad and could be invoked during ordinary conversation, causing the agent to initiate publishing actions without sufficiently explicit user intent. In this skill, that action can result in external data transmission to a third-party site, so ambiguous triggering increases the risk of unintended publication.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill asks the user to send an API key to the agent and stores it locally in plaintext, but does not clearly warn the user about this sensitive handling. This creates credential exposure risk through chat logs, local filesystem access, backups, or other processes that can read the file.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill defines automatic publishing after each chapter is written, but does not provide an explicit user warning that chapter contents will be transmitted to an external service. Because publishing is automatic and recurring, users may unknowingly disclose drafts or sensitive material beyond their local environment.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to request an API key from the user and save it using `echo` into `~/.time-weaver-config` in plaintext for later automated use. This is dangerous because secrets handled in conversational channels and stored unencrypted are easily exposed via logs, shell history patterns, file disclosure, or multi-user system access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal