ClawHub

zeelin-writing

Security checks across malware telemetry and agentic risk

Overview

This writing assistant is mostly relevant to its purpose, but it can read local content, store credentials, install packages, and prepare publishing actions with too little user control.

Use this only in a dedicated content workspace. Do not place unrelated private files in its default folders, avoid providing Google or WeChat credentials unless you accept plaintext local storage, install dependencies manually in a trusted environment, and require explicit approval before any draft upload or publishing action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
These instructions direct the agent to create directories and write persistent credential files as part of normal operation, which exceeds the minimum privileges needed for content drafting. Expanding a writing skill into local system modification increases the chance of credential exposure, accidental overwrites, and misuse if the skill is triggered unintentionally.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs use of shell tooling such as which, curl, and optional local scripts during execution, even though the core purpose is writing assistance. Invoking external tools expands the attack surface through command execution, untrusted script invocation, and network exfiltration pathways beyond what a user would reasonably expect from a writing helper.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This script executes `npm install` automatically when imports fail, causing network access and arbitrary lifecycle script execution from package dependencies in the local project context. For a document conversion utility, silently installing and executing package code exceeds user expectations and can be abused if the project manifest or lockfile is tampered with, or if installation occurs in an untrusted workspace.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script prompts for a GOOGLE_API_KEY and appends it to ~/.zshrc or ~/.bashrc, causing long-lived credential persistence outside the immediate setup task. This broadens exposure because the key is stored in plaintext in a shell startup file that may be backed up, synced, inspected by other tools, or inherited by future shells unintentionally.

Vague Triggers

High
Confidence
95% confidence
Finding
The top-level trigger phrases are extremely broad for common writing requests, making accidental activation likely. Because this skill also performs file reads, credential setup, and potential publishing-related steps, broad activation materially increases the risk of unintended privileged actions.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger matrix includes ambiguous categories like modification, polishing, and generic 'how to' questions, without guardrails limiting when the skill should activate. In context, this is risky because normal editing requests could unintentionally launch an automated multi-step workflow with file and network side effects.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description advertises automatic publication to WeChat drafts and one-click Xiaohongshu publishing without a clear confirmation checkpoint. Any platform-facing action that can create or queue public content is sensitive and should never be implied as automatic from a generic writing request.

Missing User Warnings

High
Confidence
99% confidence
Finding
The workflow explicitly states that steps 2 through 10 execute continuously without asking for confirmation, even though later steps involve file creation, local data access, network retrieval, and potentially platform publication. Removing approval gates from side-effecting actions creates a strong risk of unauthorized or accidental changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup flow tells the agent to write API credentials into a local .env file without prominent warning about persistence, file permissions, or secret leakage. This can lead users to expose long-lived secrets in an insecure location as part of a seemingly routine writing workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill automatically reads local files and performs web retrieval without clearly warning what local content will be inspected or what information may be sent to external services. In a writing context, local drafts, research, and historical articles can contain sensitive business or personal data, so silent ingestion materially raises privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores a sensitive API key in shell startup files without clearly warning that the secret will persist in plaintext across sessions. Users may assume they are only configuring the current run, while the key becomes broadly exposed to local disclosure through dotfile sharing, backups, logs, or accidental publication.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow explicitly instructs persistent storage of user-provided API keys and secrets in a local .env file. Persisting secrets during normal skill execution increases exposure to accidental disclosure through backups, logs, file browsing, version control, or other local tools.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill directs automatic reading of user-attached files and local knowledge/history folders without confirmation. This is risky because those folders may contain unrelated private material, proprietary drafts, or confidential data that the user did not intend to expose to the skill or any downstream external retrieval step.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal