Novel Workshop

Security checks across malware telemetry and agentic risk

Overview

This writing skill does what it claims overall, but it can automatically send and share full generated content to hard-coded Feishu destinations the user may not have chosen.

Review this skill before installing. Only run it with prompts you are comfortable sending to OpenRouter-backed models and storing in Feishu. Set your own Feishu chat, folder, and owner values, remove the hard-coded defaults or automatic full_access grant, and avoid sensitive material unless you add confirmation, redaction, and a local-only option.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Tainted flow: 'FEISHU_OWNER_OPEN_ID' from os.environ.get (line 38, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: doc_id = resp.get("data", {}).get("document", {}).get("document_id", "") if doc_id: try: requests.post( f"https://open.feishu.cn/open-apis/drive/v1/permissions/{doc_id}/members?type=docx&need_notification=false", headers={"Authorization": f"Bearer {token}", "Content-Type": "application/json"}, json={"member_type": "openid", "member_id": FEISHU_OWNER_OPEN_ID, "perm": "full_access"},
Confidence: 92% confidence
Finding: requests.post( f"https://open.feishu.cn/open-apis/drive/v1/permissions/{doc_id}/members?type=docx&need_notification=false", headers={"Authorizat

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill advertises and instructs use of shell execution, filesystem writes, environment variable access, and network calls, but does not declare corresponding permissions. That mismatch weakens policy enforcement and user understanding, especially because the workflow sends data to external model providers and Feishu while writing local archives.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Granting full document access to a preconfigured Feishu user is not necessary for a novel-writing/archive workflow and expands access beyond the originating user. In this skill's context, the document contains all user prompts and generated content, so unnecessary sharing materially increases confidentiality risk.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases include very generic requests like '写一篇小说' and '命题写作', which can cause the skill to activate during ordinary writing interactions where the user did not intend external processing or archival. In this skill, accidental activation is more dangerous because it forwards prompts to third-party models and stores full content in Feishu and local files.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The description does not clearly warn users that their full prompt and generated drafts, reviews, and final text will be transmitted to OpenRouter-backed providers and stored in Feishu, with progress messages sent to chat. This is a meaningful disclosure failure because users may provide sensitive or unpublished content under the assumption it stays local or within the primary system.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends the user's prompt, the full draft, multiple reviews, and the revised story to external model providers and may also push status/content-derived metadata to Feishu, but it provides no explicit consent or privacy warning before transmission. In a writing tool, users may include unpublished or sensitive material, making undisclosed third-party transmission more dangerous.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The instructions require passing the user's original prompt without modification and fully archiving content, which creates a direct path for sensitive information to be retained and disclosed verbatim. Because the destination includes local storage and Feishu documents, any secrets, personal data, or confidential manuscript material in the prompt may be unnecessarily propagated and preserved.

Ssd 3

Medium

Confidence: 94% confidence
Finding: Mandating that Feishu documents omit nothing means all drafts, reviews, and final text are fully exposed in an external collaboration platform, regardless of sensitivity. In context, this is particularly risky because creative prompts can contain proprietary ideas, personal narratives, or embedded secrets, and the skill offers no warning or content filtering.

Ssd 3

High

Confidence: 99% confidence
Finding: The hard rules combine two risky directives: transmit the user's prompt exactly as given to external models and store all resulting content without omission. This strongly increases the chance of leaking secrets, personal data, or confidential text, and the 'all content' rule removes any safety valve for sanitization or minimization.

Ssd 3

High

Confidence: 97% confidence
Finding: The workflow explicitly preserves and uploads all model- and user-provided content without any redaction, minimization, or sensitivity checks. In this skill context, that includes raw prompts, drafts, reviews, and final text, so any sensitive or proprietary material supplied by the user is copied to local storage and potentially to Feishu in full.

Ssd 3

High

Confidence: 96% confidence
Finding: The function documentation and implementation emphasize complete retention and transmission of all document contents, reinforcing that no filtering or privacy guardrails exist. This increases the likelihood of accidental disclosure of confidential prompts, generated content, or embedded personal data to Feishu and to anyone with access to the created document.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal