Novelcraft

Security checks across malware telemetry and agentic risk

Overview

NovelCraft appears to be a real autonomous novel-writing skill, but it needs review because it can run and terminate subagents, modify project files, and send image prompts to a hard-coded HTTP service.

Install only in a dedicated workspace and start in step-by-step mode. Review the image provider before enabling images, replace any hard-coded /home/felix paths and HTTP endpoint with your own scoped configuration, and confirm backups before allowing reset/delete, overwrite, or final-promotion actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to enumerate active subagents and kill matching sessions before starting chapter work. That is a control-plane capability affecting other running work, and it exceeds what is strictly necessary for novel authoring because it can terminate unrelated or misidentified sessions if labels collide or matching is too broad. In this context the capability is framed as operational safety, but it still creates a real denial-of-service risk inside the agent environment.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The legacy natural-language triggers are broad enough to match ordinary conversational requests such as creating a project or showing books, which can cause the skill to activate when the user did not explicitly invoke NovelCraft. In an autonomous content-generation skill, unintended activation can lead to unexpected project creation, reconfiguration, or workflow execution, increasing the risk of prompt/command confusion and unauthorized actions within the agent context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README emphasizes fully autonomous novel creation but does not warn that this can generate large numbers of files, long-running outputs, and substantial workspace consumption. In an autonomous agent context, lack of disclosure about write amplification and execution scope can lead users to trigger broad file generation without informed consent or resource planning.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises optional image generation, including chapter images, without warning about external provider use, prompt/data sharing, cost, latency, or heavy CPU/GPU/disk impact. Because image generation may transmit story content or character descriptions to third-party services and can materially increase spend and output volume, omitting these warnings creates real privacy and operational risk.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The review rule 'No foreign characters' imposes an unjustified language and character-set restriction that can suppress legitimate names, dialogue, settings, and multilingual content. In a novel-writing skill, this can cause discriminatory output filtering, content degradation, and systematic rejection of valid text, especially for non-English or accented language use.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The document defines broad natural-language commands such as status queries, step execution, and workflow progression using ordinary conversational phrasing. In an agent skill, these phrases can be matched unintentionally from normal user dialogue or surrounding content, causing the agent to perform actions the user did not explicitly invoke.

Vague Triggers

Medium

Confidence: 98% confidence
Finding: The reset and delete examples use very generic natural-language phrases like resetting configs or deleting a project, with no strong scoping or confirmation semantics. If an agent interprets these literally from ordinary conversation, quoted text, or prompt-injected content, it could destroy project data unintentionally.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The markdown documents destructive operations like reset and delete without warning language, confirmation steps, or safety boundaries. In a highly autonomous content-generation skill managing multiple projects, this increases the chance that destructive actions are invoked casually or via ambiguous interpretation, resulting in loss of user work.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The setup guide defines broad natural-language activation phrases like starting a new project or setup, which can overlap with ordinary user conversation. In a chat-integrated skill, that ambiguity can cause unintended invocation of project creation or reconfiguration workflows, especially if the assistant treats descriptive statements as commands.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The legacy trigger phrases such as "Create NovelCraft project" and "Reconfigure NovelCraft" are short, generic, and lack clear scoping or activation constraints. That increases the chance that unrelated chat text, summaries, or quoted examples will be interpreted as commands, leading to accidental workflow execution or configuration changes.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The natural-language command section encourages activation via common phrases such as "Start NovelCraft," "Show ...," and "Change [X] to [Y]," but does not define boundaries or non-activation examples. This makes prompt/command confusion more likely and can let routine conversation or embedded text trigger tool behavior unexpectedly.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The manifest explicitly advertises fully autonomous generation of complete PDF/EPUB outputs using subagents and external document toolchains, but it does not warn users that invoking the skill may create substantial file artifacts and trigger downstream processing. In a skill ecosystem, this can lead to unexpected file creation, excessive resource usage, or trust boundary issues because operators may treat the skill as content-generation only rather than a workflow that writes and transforms publishable files.

Vague Triggers

Low

Confidence: 76% confidence
Finding: The description is very broad about autonomous behavior and lacks boundaries on when autonomy is activated, what stages are optional by default, and what constraints apply to subagents and publication steps. That ambiguity increases the chance of unintended execution scope, especially in automated environments where skills may be selected and run based on manifest text alone.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The template explicitly instructs the agent to write and copy files in the local workspace without any requirement for user confirmation, dry-run behavior, or warning that filesystem state will be modified. In an autonomous skill, this creates a real integrity risk: the agent can overwrite, create, or promote content automatically, and the fixed absolute paths increase the chance of unintended changes if variables are mis-bound or the workspace context is wrong.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This template instructs the agent to send book-related image prompts and configuration to a network-accessible service at http://192.168.2.150:7861 without any notice, consent gate, or data-classification check. In an autonomous content-generation workflow, prompts may contain unpublished manuscript details, character descriptions, or other sensitive project content, so silent transmission to a remote endpoint creates a real confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template instructs the agent to write a review file and copy an approved chapter into the final project directory, but provides no requirement for explicit user confirmation, dry-run behavior, or guardrails around file modification. In an autonomous workflow, this can cause unintended state changes, overwrite trusted content, or advance low-quality/manipulated chapters into the canonical output without a human checkpoint.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The template instructs the agent to save the revised chapter directly back to the existing draft path, which causes an in-place overwrite of prior content without any confirmation, backup, or versioned output. In an autonomous writing workflow, this can irreversibly destroy earlier drafts or propagate bad revisions, especially if the review input is malformed or adversarial.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The rule requiring 'no foreign characters' imposes an unjustified character-set restriction that can corrupt names, dialogue, quotations, or multilingual content by forcing lossy normalization. While not a direct code-execution issue, it can silently damage user content and create discriminatory or incorrect outputs in a book-authoring context where diverse languages and names are expected.

Session Persistence

Medium

Category: Rogue Agent
Content: - 📁 **Draft/Approved Folders** — Quality separation - ⚙️ **Standardized Config Schema v3.2** — Clear 3-level hierarchy - 👥 **Target Audience Profiles** — **NEW:** Auto-configure for age groups (6-8, 8-12, 12-16, 16-25, 25+, 60+) - 🔁 **Max 3 Revisions** — Forced rewrite if needed - 🤖 **Subagent Architecture** — Each module runs isolated ---
Confidence: 84% confidence
Finding: write if needed - 🤖 **Subagent Architecture** — Each module runs isolated --- ## 🚀 Quick Start ### 1. Create Configs in Workspace ```bash mkdir -p ~/.openclaw/workspace/novelcraft/config # Copy mo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal