Back to skill

Security audit

Cinematic Script Writer

Security checks across malware telemetry and agentic risk

Overview

The active skill is a disclosed cinematic-writing tool with optional Google Drive saving; bundled examples/templates add caution but do not show hidden malicious behavior.

Install only if you are comfortable with a Node-based writing tool that stores project context in memory and can upload generated scripts/prompts to your Google Drive when you connect and save. Avoid using the bundled template calculator as-is, and do not enable the separate file-manager example unless you intentionally want file read/write/delete capability.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (34)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation is a generic local file manager, not a cinematic script writer as declared in the skill metadata. This capability mismatch is dangerous because it can conceal unexpected access to local files behind an unrelated, lower-risk description, undermining user trust and security review boundaries.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill exposes broad read, write, list, exists, and delete operations on the local filesystem that are not justified by the stated purpose of script writing. Even with a base-path check, these operations enable collection, modification, and destruction of local data within the configured directory, which materially expands the attack surface for a content-generation skill.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The top-level documentation understates the module's behavior as 'Basic file operations' while the code includes destructive deletion capability. Misleading or incomplete documentation increases the chance that reviewers, users, or downstream integrators will miss high-risk behavior and grant the skill more trust than it deserves.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a persistent todo-list skill, while the declared skill metadata describes a cinematic script writer. This capability mismatch is dangerous because it can hide undeclared data handling and behavior from reviewers and users, undermining trust boundaries and making it easier to smuggle unrelated functionality into an approved skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code stores, lists, updates, and deletes persistent user todos even though such task-management functionality is not justified by the cinematic-script-writer purpose. Unnecessary persistent capabilities increase attack surface and create a risk of collecting or mutating user data outside the expected scope of the skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The provided skill metadata describes a cinematic script-writing capability, but the manifest actually defines a filesystem-backed todo manager. This mismatch is dangerous because it can disguise the true functionality of the skill, causing reviewers or users to grant permissions and execute a package under false pretenses; the declared fs:read and fs:write permissions make the deception more concerning.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implemented functionality is a weather-fetching skill, while the declared skill is for cinematic script writing and related media assistance. This capability mismatch is dangerous because it can mislead reviewers and users about what code will run, weakening trust boundaries and potentially hiding unauthorized networked behavior inside an unrelated skill package.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file header explicitly states this is a weather skill, which directly contradicts the cinematic-script-writer metadata. Such contradictions are a strong indicator of mispackaging or mislabeled code, and they increase the risk that reviewers miss unexpected capabilities or that unrelated code is smuggled into a trusted skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The calculate function evaluates attacker-controlled input using the Function constructor, which is equivalent to dynamic code execution. In an agent skill context, this can allow arbitrary JavaScript execution within the skill runtime, potentially exposing memory contents, accessing context objects, or enabling further compromise depending on runtime isolation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes a generic greeting/calculation template, but it requests filesystem read/write and HTTP access that are not justified by the listed tools. This mismatch increases the risk of overprivileged execution, enabling data access, file modification, or outbound network activity beyond what a user would reasonably expect from the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
HTTP requests and filesystem write access are unjustified for a template whose declared tools only greet users and perform calculations. Unnecessary high-risk permissions create an avoidable attack surface: if the skill or a dependency is compromised, it could write files or exfiltrate data over the network without aligning with user expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises Google Drive integration with language indicating content may be auto-saved, but it provides no warning that user prompts, scripts, or generated media metadata could be transferred to a third-party cloud service and retained there. In a creative-writing skill, users may include unpublished IP, personal data, or sensitive project details, so silent or poorly disclosed cloud storage creates a meaningful privacy and data-governance risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The guide instructs users to pass a bearer API key directly on a curl command line, but it does not warn that shell history, process listings, CI logs, or shared terminals can expose that secret. This is not an active exfiltration mechanism in the file itself, but it is an insecure operational practice that can lead to credential leakage if users copy-paste the example as written.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The top-level description is broad enough to match many generic writing, prompt-generation, and guidance requests, which can cause over-invocation of a tool that also includes storage and external integration features. If auto-selected too often, the skill may handle user content in contexts where a simpler, non-tool response would have sufficed, unnecessarily exposing data to local binaries or network-backed features.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The 'When to Use' section lists many broad triggers without constraints, increasing the chance that an orchestrator will route ordinary creative requests into this skill. In this skill's context, that is more dangerous because the same package also supports persistence and Google Drive connectivity, so accidental activation can widen data exposure beyond the user's likely expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The CLI exposes a `connect-drive` command that initiates Google Drive connection immediately and prints the result, but provides no user-facing disclosure about what external account access is being requested or what data may later be stored there. In a skill that can save generated scripts and project context, this creates a meaningful consent/transparency issue: users may authorize external storage without understanding the scope of access or downstream data flow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `save` command writes project data to whichever storage backend is connected, but the CLI does not warn the user that content will be persisted externally or clarify the destination before saving. Given this skill handles creative scripts, context metadata, and possibly character/voice profiles, undisclosed persistence can lead to unintended data exposure or retention in local or cloud storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deleteFile method performs irreversible file deletion immediately, with no confirmation, soft-delete, recovery path, or user-facing warning. In the context of a skill that should be generating scripts rather than managing arbitrary files, this makes accidental or malicious data loss significantly more dangerous.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is extremely broad ('Read, write, and manage files') and does not constrain when the skill should be invoked or what files it is intended to handle. In an agent ecosystem, this increases the chance of overbroad activation and unsafe use on sensitive paths or destructive operations without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest requests fs:write and fs:delete permissions and exposes write/delete tools without any user-facing warning or safeguard language about destructive behavior. This makes accidental or prompt-induced file modification and deletion more likely, especially because the skill is presented as a generic file manager rather than a tightly scoped utility.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The suggested YAML description explicitly promotes broad 'Use when...' trigger phrases as the primary activation mechanism, but it does not include scope limits, exclusions, or precision cues. In a skill-loading system where descriptions influence automatic activation, this can cause the cinematic-script-writer skill to trigger for loosely related requests, creating prompt-routing confusion and increasing the chance that the wrong skill handles user data or actions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The report recommends adding natural-language trigger phrases because they help OpenClaw know when to activate the skill, but it does not warn against overmatching or ambiguous phrasing. In agent ecosystems, overly permissive activation language can lead to unintended invocation, inappropriate context loading, and accidental execution of capabilities that the user did not actually request.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The example instruction 'When a user wants to create a cinematic script' is too broad as an activation condition because many adjacent requests—story ideation, editing, summarization, image prompting, or screenplay critique—could match it. That ambiguity is risky in this skill context because the skill also mentions external actions like storage integration, so accidental activation may expose user content to the wrong workflow or toolchain.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The proposed ideal description still uses expansive trigger language covering cinematic scripts, story contexts, AI image prompts, and cinematography guidance without boundaries or exclusions. Because skill descriptions are used to decide activation, this broad wording increases the attack surface for misrouting and makes the skill more dangerous in context, especially since the metadata and narrative mention possible Google Drive interaction and multi-step agent behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest requests file-write and HTTP permissions without disclosing these capabilities to users in the description or tool definitions. Lack of transparency is dangerous because users may authorize or invoke the skill without understanding it can modify local files or send data externally, increasing the chance of silent misuse or data leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.