ClawHub

Cinematic Script Writer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate cinematic writing skill with disclosed cloud and local saving features, but users should be careful about where they save projects.

Before connecting Google Drive or local storage, decide whether the project contains private or unpublished material. Save to a dedicated folder, review any generated Drive links before sharing, and avoid using broad local paths such as your home directory as the storage target.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implemented skill is a generic local file manager, which materially differs from the declared cinematic-script-writer purpose. This capability mismatch is dangerous because it can grant an agent broad filesystem access under misleading metadata, increasing the chance that users or orchestrators invoke it in sensitive contexts without expecting file-system side effects.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Arbitrary file deletion is not justified by the stated purpose of a cinematic script writer and creates a destructive primitive that could remove user data within the configured base path. Even with path confinement, an attacker or prompt-injected workflow could delete project files, configuration, or other sensitive local assets if the base path is broad.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes broad read, write, and directory listing operations that exceed what is necessary for cinematic script generation. In the context of a misdeclared creative-writing skill, these primitives can be abused to inspect local files, overwrite content, or enumerate filesystem structure, which expands the attack surface and can facilitate data exposure or tampering.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file's implemented behavior is materially different from the declared skill purpose: instead of cinematic script generation, it provides persistent todo-list storage and mutation operations. In an agent ecosystem, this kind of capability/manifest mismatch is dangerous because it can mislead reviewers, trigger unintended data access or persistence paths, and conceal functionality users and operators did not consent to.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implemented skill is a weather API client, which materially contradicts the declared cinematic-script-writer purpose. This kind of capability/manifest mismatch is dangerous because it can hide undeclared behavior from reviewers and users, expanding trust beyond the stated function and enabling covert data access or exfiltration patterns under an unrelated skill label.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Fetching external weather data is unjustified by the stated cinematic script-writing purpose, so the skill has network reach that users and reviewers would not reasonably expect. In a mismatched skill context, any unnecessary outbound request increases the attack surface, creates opportunities for hidden data flows, and weakens least-privilege assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file header explicitly says 'Weather Skill,' directly contradicting the cinematic-script-writer metadata. This strengthens the evidence that the packaged skill is mislabeled, which is dangerous because reviewers may approve a skill for one purpose while it actually performs a different one, undermining trust and security review integrity.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The calculate() tool evaluates attacker-controlled input using the Function constructor, which is equivalent to arbitrary code execution in the skill runtime. In the context of a cinematic script-writing skill, this capability is unjustified and especially suspicious because users would not expect a script-writing tool to execute expressions, increasing the chance that dangerous behavior is overlooked.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The manifest requests fs:read, fs:write, and http:request even though the declared tools only describe greeting and calculation, which do not require these privileges. Excessive permissions increase blast radius: if the skill implementation is compromised, misleading, or later extended, it could read local data, overwrite files, or exfiltrate information over the network without a clear functional justification.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The adapter advertises support for local, Dropbox, OneDrive, and custom providers even though the skill description only justifies Google Drive saving. This broadens the skill's storage and data-handling capabilities beyond the stated purpose, increasing the risk of unexpected persistence or later expansion to additional exfiltration paths without clear user consent boundaries.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The LocalStorageAdapter can create folders, write arbitrary files, read file contents, list directories, and delete files on the host filesystem. Because paths are derived from caller-controlled values with no confinement or path validation, this creates a broad local file access surface that exceeds the skill's stated need to save scripts to Google Drive and could be abused to overwrite, read, or remove unintended files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises Google Drive auto-save functionality but does not warn users that prompts, scripts, character data, or other potentially sensitive content may be transmitted to and stored in a third-party cloud service. In a creative-writing skill, users may include proprietary story material, personal data, or confidential project details, so omission of a clear disclosure can lead to unintended data exposure and consent/privacy issues.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages saving projects to Google Drive but does not clearly warn users that story content, prompts, character profiles, and metadata may be transmitted to an external third-party service. In a creative workflow, those artifacts can contain sensitive unpublished IP or personal data, so silent or poorly disclosed cloud transfer increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The CLI exposes a `connect-drive` command that initiates Google Drive integration without any inline warning, confirmation, or explanation that an external third-party account may be linked and that project data could be transmitted or stored outside the local environment. In an agent/skill setting, this increases the chance of unintended data exfiltration or privacy violations because users may trigger the command without understanding the external access implications.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `connect-local`/`save` storage flow exposes filesystem write capability without a visible warning, path safety checks, or confirmation about where data will be written. In an agent context, this can lead to unintended overwrites, writes to sensitive directories, or persistence of potentially sensitive content on disk without the user's informed consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest describes the skill as broadly able to "Read, write, and manage files" without clear scope limitations, allowed paths, or user-consent constraints. In an agent ecosystem, overly broad activation language can cause the skill to be selected in situations where sensitive or destructive filesystem operations are not appropriate, increasing the chance of unintended data access or modification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest exposes fs:delete permission and a deleteFile tool but provides no user-facing warning, confirmation requirement, or safety note about destructive behavior. This creates a real risk of accidental or overly broad deletion of user data, especially if the skill is auto-selected or invoked with ambiguous instructions.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill stores per-user weather results in memory without any explicit disclosure or retention policy. While the cached data appears low sensitivity, silent persistence of user-related activity can still create privacy issues, especially when the skill's true purpose is already mismatched and users would not expect this storage.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The report explicitly recommends adding broad 'Use when...' trigger phrases to the skill description so the platform activates it more often. In a skill-routing system, overly broad activation criteria can cause this skill to intercept unrelated creative or media requests, leading to unintended execution paths, prompt-context pollution, and possible invocation of connected capabilities such as storage or external integrations in the wrong context.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The guidance says descriptions should include natural-language triggers matching how users ask for things, but it omits any collision-avoidance guidance. Without boundaries, these triggers can overlap with generic user intents and cause misrouting to this skill instead of more appropriate or safer skills.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The proposed fix instructs adding plain-language AI instructions and trigger guidance, but does not require specificity or exclusions. In a skill ecosystem, vague activation guidance increases the chance of overbroad matching and unintended loading of the skill body, which can affect system behavior beyond the user's actual request.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The checklist operationalizes the broad-trigger recommendation by instructing use of 'Use when...' phrases without any warning about overbroad activation. Because checklists tend to be implemented literally, this increases the likelihood that the published skill will adopt unsafe routing semantics.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The template description includes broad conditions like creating story contexts, generating AI image prompts, and offering camera or lighting guidance, which can overlap with common creative-assistant requests. In this skill's context, that broad scope is more dangerous because the metadata also references saving scripts to Google Drive and external tooling, so accidental activation could expose users to unnecessary capability use or data handling paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example encourages uploading generated artifacts to Google Drive and sharing the resulting folder link, but it does not clearly disclose that story content, prompts, character sheets, voice profiles, and metadata will be transmitted to a third-party cloud service. In an agent context, this can lead users to unknowingly export sensitive or proprietary material, especially if the generated content includes confidential project details or personal information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly encourages saving generated scripts and related materials to Google Drive and returning shareable links, but it does not warn that story content, character data, voice profiles, or metadata may contain sensitive or proprietary information. In an agent setting, omission of consent, visibility, and link-sharing caveats can cause unintentional external disclosure even if the feature is intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal