Back to skill

Security audit

novel-generator 是一个中文爽文小说生成技能。用户只需提供一句话方向(如"写个都市重生爽文"),AI 代理即可自动完善提示词、规划大纲、逐章创作并输出为独立 Markdown 文件。 核心特性: 智能提示词生成:从一句话方向自动补全世界观、人设、冲突、爽点设计 分章节创作:每章 2000-3000 字,层层递进,章章有爽点 记忆系统:通过 .learnings/ 记录角色、地点、情节、世界观,确保故事前后一致 情节图解:关键战斗、人物关系、势力分布自动生成 Mermaid 图 失败记录:穿帮、矛盾、崩塌等问题自动记录,持续优化 多题材支持:都市、修仙、玄幻、重生、系统流、末世、科幻、游戏 兼容 Claude Code、Cursor、OpenAI Codex、GitHub Copilot 等所有支持 Agent Skills 的工具。

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese fiction-writing skill that saves story chapters and continuity notes, with no evidence of hidden network access, credential use, or unrelated privileged behavior.

Install this only in a workspace where saving generated fiction, prompts, and continuity notes is acceptable. Keep different novels in separate workspaces or clear `.learnings/` between projects, and use `init-novel.sh --clean` only when you intentionally want to reset prior generated Markdown chapters and story memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that chapters are automatically written as standalone markdown files and that persistent memory and error logs are maintained, but it does not clearly warn users that using the skill causes local filesystem writes. In an agent environment, undocumented writes can surprise users, leak sensitive prompt/story content into persistent storage, and create privacy or workspace hygiene issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documented initialization command includes a `--clean` option without any warning that it may delete or overwrite existing content. In practice, users may run the copied command verbatim and unintentionally destroy prior drafts, notes, or generated chapters, especially in automated or agent-assisted workflows.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text is very broad and matches generic writing/story requests, so the skill may activate in situations where the user did not specifically ask for this workflow. That increases the chance of unexpected file reads/writes and unintended persistence of user content, especially because the skill also requires memory-file handling.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill metadata and instructions are explicitly Chinese-oriented and can steer outputs into a specific language/locale without confirming user preference. While not directly a security exploit, it can override user intent and cause inappropriate handling of content, which is risky when combined with automated persistence and broad triggering.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to store user-provided story directions and continuity details in `.learnings/` without defining retention limits, content minimization, or sensitivity checks. This creates a persistent natural-language memory that may retain private, copyrighted, or otherwise sensitive user material beyond the immediate task.

Ssd 3

Medium
Confidence
94% confidence
Finding
Recording failed generations and their reasons into persistent memory can capture sensitive prompt content, partial outputs, or error context that the user did not intend to keep. Failure logs are especially risky because they often preserve raw problematic input and can later be reused or exposed unintentionally.

Ssd 3

Medium
Confidence
92% confidence
Finding
Mandating reads of all memory files before each chapter broadens access to previously stored user-derived content regardless of whether each file is necessary for the current request. This increases the risk of over-collection, accidental cross-contamination between projects, and resurfacing old sensitive content in new outputs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.