ClawHub

ZF-novel-writer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real novel-writing workflow, but it can run broad automatic agent/file operations with weak scoping and unclear user control.

Install only if you want an automated, file-writing novel pipeline. Invoke it explicitly with /novel or the skill name, keep it in a dedicated project directory, review generated file paths before running helper scripts, and avoid using it on sensitive manuscripts unless local prompt and continuity-file retention is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents read/write behavior across user-controlled book directories, temp outputs, summaries, and metadata updates, but does not declare permissions or warn users about these capabilities. Undeclared file access is dangerous because it weakens review and consent boundaries, making it easier for the skill to modify or overwrite local content unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes materially beyond the stated novel-writing workflow, including extra automation, hardcoded local file updates, inspection CLIs, and an external LLM wrapper despite claims of host-model-only operation. This mismatch is dangerous because reviewers and users may trust the declared scope while the skill performs broader actions, increasing the chance of hidden side effects, data exposure, or unauthorized network use.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The documentation claims no external API dependency while also advertising an automatic Tomato Novel publishing script, which implies outbound interaction beyond the local writing pipeline. That inconsistency is risky because users may authorize a local-only writing assistant without realizing it may publish content or contact external services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The checker is not limited to structural validation; it enforces specific narrative content such as financial summaries, next-chapter previews, and system-related text. In a multi-agent writing skill, this can coerce the writer agent toward unwanted themes or hidden requirements, creating prompt-shaping behavior that may leak into generated content and reduce user control.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The interactive mode is broken: it references an undefined `settings` variable and ignores user-provided customization values when generating the outline. This is not a security exploit in the classic sense, but it is a real integrity/reliability flaw that can cause crashes or produce misleading output contrary to user intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The triggers include broad, natural phrases like 'write novel' and 'generate chapter', which are likely to appear in ordinary conversation and can cause accidental invocation. In a skill that spawns agents and edits files, unintended activation raises the risk of unapproved file operations or long-running automated workflows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic file creation, metadata updates, file moves, and cleanup as part of normal operation, but does not clearly warn that it will modify user files. This is dangerous because users may invoke a writing aid expecting text generation only, while the skill reorganizes or overwrites project data on disk.

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
78% confidence
Finding
The trigger phrase 'write novel' overlaps with a common built-in-style command prefix and increases the chance that unrelated writing requests route into this skill. Because the skill can spawn sub-agents and modify files, trigger shadowing can lead to accidental execution of privileged workflow steps.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal