ClawHub

novel-orchestrator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed novel-writing workflow skill that makes persistent OpenClaw agent configuration changes, but those changes match its stated purpose and require user confirmation.

Install this only if you want a persistent four-agent novel-writing setup. Before running the setup flow, review the chosen workspace path, the ~/.openclaw/agents additions, the openclaw.json changes, the agentToAgent allow list, and which Moonshot or Xiaomi environment API keys the agents may use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill advertises automatic creation of four agents and orchestration of a multi-agent novel workflow, but the provided content only defines high-level routing rules and references an external setup guide. This mismatch can mislead users and downstream systems into trusting the skill to perform setup or workflow actions it does not actually implement, creating opportunities for unsafe assumptions, improper delegation, or hidden behavior in unreviewed referenced files.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The skill is described primarily as an orchestrator for novel-writing agents, but this template provisions direct API-key based access to external LLM providers. That expands the skill's effective privilege and data egress surface beyond what is clearly justified, creating risk that spawned agents or downstream workflow steps can invoke third-party services with environment-backed credentials without explicit user awareness or opt-in.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs the agent to create directories under the user's home directory, copy files, and edit `openclaw.json`, but it does not prominently warn that these are persistent filesystem and configuration changes. In an agent skill context, such instructions can lead to unintended local state modification, privilege boundary expansion via new agent registrations, and hard-to-reverse configuration drift if the user does not fully understand what will happen.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manager trigger phrases are broad, conversational, and likely to overlap with ordinary user requests, which can cause the orchestrator to invoke the manager role even when the user did not intend workflow orchestration. In this skill context, unintended manager activation is meaningful because manager can change routing, initiate multi-agent coordination, and expand task scope, increasing the chance of unnecessary delegation, over-collection of context, or unexpected automated progression.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The upgrade condition relies on vague stage labels like planning, writing, review, rework, and acceptance without precise detection criteria, so many mixed or loosely phrased requests may be escalated inconsistently. In this novel-production skill, that ambiguity is more dangerous because escalation changes execution mode from a single agent to a collaborative pipeline, which can amplify cost, scope, and unintended automation beyond what the user requested.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal