ClawHub

小说写作助手

Security checks across malware telemetry and agentic risk

Overview

This novel-writing skill appears purpose-built, but it can automatically create, update, and delete project files from broad conversational triggers.

Review before installing. Use it only in a dedicated writing workspace, prefer explicit /novel commands, check the resolved target path before initialization, and keep backups or version control because it can persist conversation-derived notes, update many project files, and remove generated draft intermediates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (30)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The README maps ordinary Chinese phrases like '继续写', '开始第一章', '创建新小说项目', and similar natural-language requests directly to privileged skill commands. Because these phrases are common in normal conversation and not strongly scoped, the skill can be activated unintentionally, causing file creation or workflow execution when the user may only be chatting about writing. The broad trigger surface is more dangerous here because later commands perform filesystem writes and multi-step automation.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The step-specific examples reuse generic phrases such as '好的,继续下一步', '开始制定计划', '生成时间线', and '开始分解任务' as automatic triggers. These are common conversational phrases that could appear in many benign exchanges, making unintended progression through the workflow plausible. In this skill, accidental triggering is amplified because successive steps generate artifacts and can advance stateful project automation without an explicit command boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that the skill will automatically create project directories and later generate or update multiple files, but it does not clearly warn the user about filesystem writes before execution. This weakens informed consent and increases the risk that users trigger the skill without realizing it will persist data or modify their workspace. The risk is heightened because the same README also advertises broad natural-language triggering, increasing the chance of unexpected writes.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger rule says the skill can activate not only via explicit command but also from any Chinese description of intent recognized by AI. That makes invocation boundaries too loose, increasing the risk of unintended activation during ordinary conversation and causing downstream file creation, state changes, or workflow execution without sufficiently explicit user consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several trigger examples are common conversational phrases like '继续写' or '开始第一章', which can appear in normal dialogue without clear intent to run a privileged skill action. In an agent environment, vague triggers can cause accidental invocation and unexpected writes, tracking updates, or workflow progression.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents automatic project initialization, JSON creation, and knowledge-base copying, but it does not clearly warn the user that invoking the skill will modify the filesystem. In agent settings, undisclosed writes are risky because users may trigger the skill expecting planning help, not persistent file and directory changes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The conversational triggers include broad natural-language phrases like “分析写作质量” and “质量检查”, which can easily appear in ordinary user conversation rather than as an intentional command invocation. This can cause accidental activation of the skill, leading to unexpected behavior, context switching, or unintended processing of user content.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The skill is authored entirely to produce Chinese-language output and does not indicate any fallback to user language preference or opt-in. While not directly enabling code execution or data exfiltration, this can override user expectations, reduce transparency, and increase the chance that users misunderstand analysis results or miss important warnings.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to append content to `stories/<story-name>/specification.md` but does not warn the user that running the command will modify project files. This creates a transparency and consent problem: users may invoke what appears to be a clarification dialog and unintentionally trigger persistent file changes, which can overwrite intent, pollute project state, or be chained with prompt-injected content from the conversation.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to write and update files under `memory/constitution.md` and `memory/style-reference.md` without any explicit confirmation step or warning that local workspace data will be modified. While this appears intended for normal skill operation rather than abuse, silent file writes can still surprise users, overwrite prior content, or persist unwanted data in the workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes automatic updates to story files and appending content without requiring user confirmation, preview, or rollback behavior. In an agent context, this can lead to unintended modification of user content, file growth, duplication, or corruption of project artifacts, especially when triggered automatically every few chapters.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The conversational triggers are generic natural-language phrases like '记录这次问题' and '查看失败记录', which can plausibly appear in ordinary discussion rather than as explicit commands. In an agent environment, this can cause unintended invocation of the skill, leading to automatic reads or writes of `.fail-log` data and unexpected workflow side effects.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The conversational triggers are very broad generic phrases like '读者视角反馈' and '生成反馈报告', which can easily match ordinary user requests rather than an explicit skill invocation. This can cause unintended activation of the skill, leading the agent to switch modes or produce structured analysis when the user did not intend to invoke this command.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill can both auto-trigger every 5 chapters as part of another command and be run manually, but the boundaries for when each path should execute are not clearly defined. Ambiguous activation rules increase the chance of unexpected execution, duplicate runs, or context leakage between workflows, especially when embedded in larger multi-step agent behavior.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill directs the agent to create a nontrivial directory tree and multiple files under either a user-supplied path or a default workspace-derived path, but it does not require an explicit confirmation step or prominent warning about where writes will occur. In an agent context, this can lead to unintended filesystem modifications, especially if the user misunderstands the default path behavior or provides an unsafe/incorrect target directory.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The conversational triggers are broad enough that normal discussion like '把这段设定记下来' or '更新记忆' could unintentionally invoke file-modifying behavior. Because this skill manages persistent project files, ambiguous activation can cause unintended writes and state changes from ordinary chat rather than an explicit command.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that when the user mentions new setting information, the AI will automatically append it to files under `.learnings/` without warning or confirmation. Automatic persistent writes increase the risk of prompt injection through dialogue, accidental project modification, and poisoning of future writing context by storing incorrect or adversarial content.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The conversational trigger phrases are broad enough to match ordinary writing-related discussion, which can cause the skill to activate unintentionally. In an agent environment, this may lead to unrequested file reads, planning actions, or downstream workflow execution based on a casual user message rather than explicit consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill specifies writing output to a workspace file but does not clearly warn the user beforehand that a file will be created or modified. This reduces transparency and can result in unexpected persistent changes to the project, especially if the skill is triggered accidentally or invoked in a shared repository.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The conversational triggers include very broad natural-language phrases such as '分解任务清单' and '生成写作任务', which could be matched during ordinary conversation rather than an explicit command invocation. That can cause the skill to activate unintentionally and read or generate project files in contexts where the user was only discussing planning, leading to surprising file writes or workflow transitions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The conversational triggers like “生成时间线” and “创建时间线文档” are broad natural-language phrases that can overlap with ordinary user requests. In an agent environment, this can cause unintended invocation of the skill and subsequent file reads/writes without the user explicitly choosing the command-form entrypoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to create and update project files, including `stories/<story-name>/timeline.md` and `spec/tracking/plot-tracker.json`, but does not require any user-facing disclosure or confirmation before making changes. This is dangerous because accidental or implicit invocation could silently modify repository state, overwrite work, or create misleading project artifacts.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill explicitly states it will create multiple files in the repository, but it does not warn about repository modification side effects or ask for confirmation. This can lead to unintended file writes, especially if a user invokes the command conversationally without realizing it changes project state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The conversational triggers are broad, natural-language phrases that can overlap with ordinary discussion, making accidental invocation plausible. In a skill that performs checks and may block workflow, misfires can cause unintended file reads, validation actions, and user disruption even without malicious intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to read project files such as timeline.md, chapter content, and plot-tracker.json, and later update tracking state, but it does not clearly warn users that files will be accessed and modified. This reduces informed consent and can lead to unexpected exposure of project contents or unintended state changes in the workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal