Security audit

novel-weaver

Security checks across malware telemetry and agentic risk

Overview

This is a local, offline novel-writing workflow skill that persists project files as expected, with some permission-documentation and trigger-breadth caveats.

Install only if you want a structured, local novel-project workflow that creates and updates project files. Be aware that it saves drafts and metadata on disk, and invoke it deliberately for novel/project work rather than casual writing or editing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (6)

Tainted flow: 'word_count' from sys.stdin.read (line 186, user input) → subprocess.run (code execution)

Critical

Category: Data Flow
Content: # ── 步骤3: state_manager.update-sub — 即时状态标记 ── word_count = len(content.replace("\n", "")) state_manager = SCRIPTS_DIR / "novel_state_manager.py" result = subprocess.run( [sys.executable, str(state_manager), "update-sub", state_path, chapter, sub_key, str(word_count)], capture_output=True, text=True, encoding="utf-8"
Confidence: 90% confidence
Finding: result = subprocess.run( [sys.executable, str(state_manager), "update-sub", state_path, chapter, sub_key, str(word_count)], capture_output=True, text=True, encoding="utf-8

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill metadata declares low sensitivity and does not expose explicit permissions, yet the content clearly instructs use of local Python scripts, filesystem reads/writes, and shell-like command execution. This mismatch can cause the host or user to underestimate the skill’s real capabilities, increasing the chance of unintended file access or modification during execution.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: `finalize_chapter()` directly rewrites the state JSON after earlier comments indicate state writes should go through `state_manager.save_state` with fingerprint/integrity checks. Bypassing the documented validation path can let malformed or concurrent updates silently corrupt workflow state, weaken integrity guarantees, and create opportunities for logic abuse if other components trust those checks.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: The trigger phrases are broad enough to match common writing requests such as general article or story help, which can activate a workflow that performs local state management and file operations unexpectedly. In a skill with persistence and script execution, overbroad activation increases the risk of the wrong tool being invoked for a casual request.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list is broad enough to match many ordinary writing requests, which can cause the skill to activate outside the user's clear intent. In an agent setting, ambiguous invocation can lead to unexpected instruction injection into unrelated conversations, altered outputs, or unintended access to the skill's workflow and stored project data.

Session Persistence

Medium

Category: Rogue Agent
Content: - 🔴 **[强制] 核心规划字段保护** — `novel_state_manager.py` 对 `chapters[].title/overview`、`sub_structures[].title/summary/tone`、`characters[].name/role/traits/mbti/archetype`、`novel_info/writing_style/setting` 做 MD5 指纹校验，**LLM 不可更新**。仅 `word_count/status/timeline/notes` 等运行时字段可更新 - **[必须] 先确认再写作** — 场景配置和大纲必须经用户确认后才能进入写作阶段 - **[必须] 先规划再写作** — 每章必须先 `plan-chapter`（含情绪 tone + 可选 emotions）→ `novel_causality_check.py sub-structure`（因果链验证）→ `context_loader` 通过子结构存在性检查，才可开始写作 - **[必须] 写作规范** — 每段 ≤200行（自然段落结束），atomic write 逐行 fsync，正文禁止 `L##S##` 标记行（会被阻断） - **[必须] 写作中登记** — 新角色出场时 `novel_state_manager.py add-char`，每章结束时 `novel_timeline.py add` - **[必须] 每章四检 + 阻断循环** — 完成后运行 `finalize-chapter`：章内连通性 → 跨章承诺链 → 风格校验 → 逻辑检查 → 聚合硬性问题并阻断（不通过则不标记门禁，不推进 phase），通过后自动推进 phase - **[必须] 全文三检** — 全文完成后必须：`novel_fidelity.py`（大纲忠实度）+ `verify-ending`（结尾收束验证）+ `set-phase stage3_ready`
Confidence: 87% confidence
Finding: write 逐行 fsync，正文禁止 `L##S##` 标记行（会被阻断） - **[必须] 写作中登记** — 新角色出场时 `novel_state_manager.py add-char`，每章结束时 `novel_timeline.py add` - **[必须] 每章四检 + 阻断循环** — 完成后运行 `finalize-chapter`：章内连通性 → 跨章承诺链 → 风格校验

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal