ClawHub

Novel Character Profile Builder

Security checks across malware telemetry and agentic risk

Overview

This writing helper mostly does what it claims, but it needs review because an optional workflow runner can execute configured Python expressions while the skill also reads, writes, moves, and deletes files in a chosen workspace.

Install only if you trust the publisher and will use a dedicated writing/LoreBible folder. Avoid custom or modified workflow configs unless reviewed, do not use --no-confirm on broad or sensitive directories, and treat generated conflict checks as helper feedback rather than a security or data-integrity guarantee.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (11)

eval() call detected

High
Category
Dangerous Code Execution
Content
for task_id, result in self.results.items():
                    local_vars.update(result.outputs)

                return eval(condition, {}, local_vars)
        except Exception as e:
            logger.warning(f"评估条件失败 '{condition}': {e}")
            return False
Confidence
99% confidence
Finding
return eval(condition, {}, local_vars)

Tainted flow: 'output_path' from input (line 416, user input) → open (file write)

Medium
Category
Data Flow
Content
if output_dir:
                os.makedirs(output_dir, exist_ok=True)

            with open(output_path, 'w', encoding='utf-8') as f:
                f.write(markdown_content)

            print(f"档案已生成:{output_path}")
Confidence
95% confidence
Finding
with open(output_path, 'w', encoding='utf-8') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to access a user workspace, save markdown files, create directories, and manage temporary/final files, yet no permissions are declared. This creates a trust and consent gap: users and the platform may expect a content-generation skill, while the skill can read and modify local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose emphasizes character-profile generation, but the documented behavior extends to scanning existing files, creating/managing directory trees, persisting session metadata, cleaning temp files, and orchestrating sub-agents from workflow configuration. That mismatch can mislead users into granting access to a skill whose effective capabilities are substantially broader than advertised.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This logic allows arbitrary Python expression execution for workflow conditions, which is unnecessary for a character-profile orchestration tool and dramatically expands the attack surface. In this skill context, workflow definitions are operational metadata, so treating them as executable code creates an unjustified remote-code-execution primitive if configs are tampered with.

Missing User Warnings

Low
Confidence
82% confidence
Finding
This section tells users that generated profiles can be saved as files, but it does not clearly warn that the skill may perform filesystem writes. While not inherently malicious, the omission weakens informed consent and can lead to unexpected modification of the user's environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The enhanced mode introduces automatic workspace initialization, temporary-file storage, file moves, and session persistence in a specified directory without a clear warning about these write operations. This increases the chance of unintended changes to user data, especially if the provided workspace path is broad or sensitive.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The role/character scan feature reads existing markdown files from the workspace to build indexes and perform checks, but no privacy warning is given. Even if intended for legitimate consistency checks, reading preexisting files can expose sensitive drafts or unrelated content if the workspace is mis-scoped.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-creation workflow writes generated content directly into the final Characters directory without the conflict detection, temporary staging, or user confirmation present in the safer workflow. In a content-management skill, this increases the risk of accidental overwrite, inconsistent canon data, or persistence of malformed/unreviewed files, especially if downstream components trust files in the final directory as approved content.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
python scripts/generate_profile.py --name "李四" --age "30" --workspace "/path/to/lorebible"

# 跳过用户确认
python scripts/generate_profile.py --name "王五" --workspace "/path/to/lorebible" --no-confirm

# 指定模板类型
python scripts/generate_profile.py --name "赵六" --type "protagonist" --workspace "/path/to/lorebible"
Confidence
88% confidence
Finding
--no-confirm

Tool Parameter Abuse

High
Category
Tool Misuse
Content
python scripts/generate_profile.py --name "李四" --age "30" --workspace "/path/to/lorebible"

# 跳过用户确认
python scripts/generate_profile.py --name "王五" --workspace "/path/to/lorebible" --no-confirm

# 指定模板类型
python scripts/generate_profile.py --name "赵六" --type "protagonist" --workspace "/path/to/lorebible"
Confidence
94% confidence
Finding
--no-confirm

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal