v0.1.4

Webnovel Serial Pipeline

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:35 AM.

Analysis

The skill appears to be a transparent local workflow for drafting and publishing Quartz web-novel files, with disclosed file-writing behavior and optional cover-generation credentials to review.

GuidanceInstall this only if you want a local helper for publishing a Quartz web-novel site. Before running the one-shot publish command, review the draft, confirm the output paths, keep backups of the Quartz folder, and treat any optional image-generation API key as sensitive.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/publish_review_ok.sh

# Publish workflow that should ONLY be run after the user says: "검수 완료". ... copy draft -> Quartz ... sync_index.py

The publish workflow intentionally copies reviewed drafts into the Quartz content folder and syncs the index. This is disclosed and approval-gated, but it is still a local content mutation users should notice.

User impactRunning the publish command can add or update files in the local Quartz site folder, which may later become publicly visible depending on the user's deployment process.

RecommendationRun the publish workflow only after reviewing the draft and confirming the Quartz, series, index, and output paths are correct.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

scripts/check_deps.sh

need python3
need ffmpeg

The bundled dependency check requires local binaries even though the registry metadata declares no required binaries or environment variables. This is not hidden behavior, but installers may not surface the prerequisites automatically.

User impactInstallation may appear requirement-free even though the workflow needs local tools and paths to operate correctly.

RecommendationVerify python3, ffmpeg, and WEBNOVEL_QUARTZ_ROOT before use; maintainers should declare these requirements in metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

NANO_BANANA_KEY (only if you generate covers using nano-banana-pro)

The skill documents an optional provider API key for cover generation. This is purpose-aligned and no bundled code shows leakage or hardcoded credentials, but it is a credential users should handle carefully.

User impactIf the optional key is set, cover-generation activity may use the user's provider account or quota.

RecommendationUse a limited-scope key if available, avoid pasting it into drafts or published files, and unset it when not needed.