Novel Studio

Security checks across malware telemetry and agentic risk

Overview

This is a coherent novel-writing workflow, but it needs review because optional Feishu sync uploads manuscript files to a hard-coded space and some local cleanup can delete staging branches.

Install only if you want a persistent, file-backed writing workflow and are comfortable with helper scripts modifying the project directory. Do not use Feishu sync until you verify the destination space ID, credentials, and exact files to be uploaded. Keep backups before branch promotion or cleanup, because staging branches may be deleted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (15)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def run(cmd): p = subprocess.run(cmd, shell=True, text=True, capture_output=True) if p.returncode != 0: raise RuntimeError(f'cmd failed: {cmd}\nstdout={p.stdout}\nstderr={p.stderr}') lines = [ln for ln in p.stdout.splitlines() if not ln.startswith('[lark-claw]')]
Confidence: 96% confidence
Finding: p = subprocess.run(cmd, shell=True, text=True, capture_output=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to use local scripts, read reference files, persist project artifacts, and perform shell-like operations, but it declares no permissions. That mismatch is dangerous because users and platform policy may assume the skill is non-operational while it actually drives file reads, file writes, and command execution through the parent agent/runtime.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This script manages an 'autopilot' execution state that is not necessary for the declared end-to-end novel production workflow, creating hidden control behavior beyond the skill’s stated purpose. Even though the code itself is not overtly malicious, undeclared stateful automation can change how the agent behaves across turns, making user intent easier to override or persist in ways the user did not expect.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The confirmation gate accepts very broad, natural-language phrases such as '可以了' and '进入初稿', which can be triggered by ordinary user replies that may not reflect explicit, informed approval of the plan. In a multi-step content-production workflow, this creates a state-transition vulnerability where the agent may advance to drafting without a clear, unambiguous confirmation, leading to unwanted actions or loss of user control.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The template is fully written in Chinese and implicitly sets Chinese as the required output format without offering user choice or documenting that constraint. While not directly security-critical, this can cause instruction misalignment and unintended behavior if a user expects another language, especially in an automated workflow that may propagate the template unchanged into downstream steps.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The instructions explicitly prefer overwrite mode when local markdown is treated as the source of truth, but they do not require a user confirmation, dry run, backup, or conflict check before modifying remote Feishu Wiki content. In a sync feature that writes into an external collaboration system, this can cause unintended data loss or destructive updates if local files are stale, incomplete, or mapped to the wrong target node.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guidance explicitly instructs immediate deletion of sibling branches and stale branch files after promotion, but provides no safeguards such as confirmation, backup, retention window, or user approval. In an agent skill that may manipulate the local filesystem under `/root/.openclaw/novels/...`, this creates a real risk of unintended destructive data loss, especially if branches contain user-created alternatives, review history, or mistakenly classified 'stale' work.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly requires persisting a scan artifact into project files, but the instruction does not require explicit user consent, disclose that local files will be modified, or constrain where writes may occur. In an agent setting, silent file creation or modification can violate user expectations, overwrite existing content, or create unintended data persistence, especially when combined with later workflow automation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly requires writing a preference-capture artifact into project files, but the instruction shown does not require user notice, consent, or confirmation before modifying files. In an agent environment, silent persistence of user-provided preferences can create privacy, transparency, and workspace-integrity risks, especially if the user does not expect file writes at this stage.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: Mandating a Chinese filename without offering a language, locale, or naming choice can cause compatibility, usability, and workflow issues in some environments, especially for users or downstream tooling that expect ASCII or locale-configurable filenames. While not inherently malicious, hard-coding the filename reduces user control and can lead to operational friction or failed integrations.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly requires producing and persisting files, but it does not require user disclosure or confirmation before modifying workspace contents. In an agent setting, silent file creation or overwrite can violate user expectations, cause integrity issues in the project directory, and be abused to plant or alter content without informed consent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The document explicitly permits the agent to infer revision intent from ordinary conversation before any formal marker is used. Although it later requires confirmation before applying changes, the trigger boundary for entering the revision workflow is vague, which can cause the agent to misclassify casual remarks as formal feedback and steer the workflow into unintended state transitions or scope analysis. In a multi-stage novel-production skill, that ambiguity can propagate confusion across planning, drafting, and revision artifacts.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The fallback rule explicitly instructs the agent to reconstruct missing project state and then write that reconstructed state back to `.novel-state.json` automatically. In an agent skill, silently persisting inferred state can overwrite user intent, create inaccurate durable records, and disclose or retain derived workflow data without an explicit user approval step. Because this workflow is designed for long-running creative projects, the persisted file may materially influence future actions, making a bad reconstruction operationally significant.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The template defines very broad approval phrases such as '可以了', '确认', and '进入下一阶段' as sufficient to proceed. In a conversational agent setting, these short generic utterances can easily appear in unrelated contexts or be elicited ambiguously, causing the workflow to advance without a clear, stage-specific confirmation from the user.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script reads local Markdown files and uploads their full contents to Feishu without any user-facing disclosure, confirmation, or scoping guard. In a novel-production workflow, manuscript and character files may contain sensitive unpublished intellectual property or personal notes, so silent exfiltration to a third-party platform materially increases privacy and confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal