ClawHub
Back to skill

Security audit

Writing Triadic

Security checks across malware telemetry and agentic risk

Overview

This writing skill is purpose-aligned but needs review because it builds persistent writing profiles and makes overly broad local-only privacy claims despite routing substantial content through remote model sub-agents by default.

Review before installing if you may paste confidential drafts, resumes, internal reports, or personal writing samples. Use local privacy mode for sensitive content, decline web research when privacy matters, and inspect or delete MEMORY.md, session folders, style fingerprints, and SEO profiles regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill makes a strong privacy assurance that all data is stored only locally, yet elsewhere it explicitly supports sending user topics and keywords to external search providers for web research. Even with a consent gate, this is still a materially different data flow than 'all data only local' and can mislead users about what leaves the device.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The module instructs the system to persistently update MEMORY.md with SEO-related user/history data such as keyword preferences, title style preferences, intent distribution, and aggregate scores. This creates ongoing profiling and retention beyond the immediate writing task, which can expose user behavior or preferences across sessions without clear consent, minimization, or retention controls.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document states that forbidden words should come from the user or MEMORY.md, but the injected alignment instructions create a conflicting authority for the Executor's own vocabulary habits. That inconsistency can cause the agent to override user-controlled style constraints, weakening prompt integrity and making behavior less predictable or user-aligned.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The alignment checklist explicitly says that if the Executor's own lexical fingerprint conflicts with the user's, it should forcibly preserve the Executor's output habits. In a style-cloning system this is dangerous because it creates instruction conflict, undermines user intent, and opens the door for hidden model-side or skill-side behavior to supersede declared controls.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The changelog explicitly acknowledges that prior skill behavior classified users by nationality ('Non-Chinese users'), which is a problematic policy signal because it can drive differential treatment based on protected or proxy attributes rather than user needs. Even though this entry documents a fix, it confirms the skill recently contained locale/nationality-based routing logic, which can create unfair, non-transparent, or policy-violating behavior if still present elsewhere in the skill or related reference files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises very broad natural-language invocations such as '帮我写...' and '写个...' without any clear trigger boundaries, exclusions, or confirmation requirements. In agent environments, this can cause overbroad activation on ordinary conversation and unintentionally route unrelated user input into the skill, increasing the chance of unintended data processing, memory writes, or network-enabled research flows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly includes a 'Web research + knowledge base update' phase but does not clearly disclose that the skill may access external network resources or transmit user-provided content to third-party services. In a writing assistant context, users may paste sensitive drafts, resumes, reviews, or internal material, so undisclosed outbound access creates privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow and feature list describe style evolution archives, memory updates, preference extraction, adoption tracking, and historical taboo retention across sessions without a clear retention, consent, or deletion notice. Because the skill is designed for personal writing tasks, this can accumulate sensitive behavioral and stylistic data over time in ways users may not expect.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough to match normal conversational phrases about writing, rewriting, drafts, or articles, which increases the chance of unintended activation. In this skill, unintended activation is more significant because activation can lead to persistent local memory reads/writes and potentially consent-seeking flows for web research.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs executors and readers to enforce a narrow stylistic and locale-specific writing standard, including penalties for bilingual mixing and non-native phrasing, without any indication that the end user requested such constraints. In an agent skill, this can cause unwanted steering of outputs, suppress legitimate multilingual expression, and override user intent in ways that are hard to notice because they are framed as quality guidance rather than policy.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt directs the system to read and update persistent user-profile memory files across sessions without telling the user that their preferences, corrections, and behavioral profile will be retained. This creates a privacy and data-governance risk because users may disclose sensitive writing habits or personal context under the assumption of ephemeral processing.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The style-cloning workflow instructs the AI to derive a detailed writing fingerprint from user samples and save it to MEMORY.md after confirmation of accuracy, but not after informed consent to retention. Storing derived stylistic biometrics or profile-like attributes without a privacy warning increases the chance of covert profiling and unexpected long-term reuse of sensitive user expression patterns.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Automatically creating or updating session-state.md persists session metadata such as mode, template, active modules, and decision logs without clear user disclosure. While less sensitive than raw content, this metadata can still reveal user behavior, goals, or workflow patterns over time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt requires user feedback and correction history to be logged automatically into persistent files, without notifying the user that these interactions become part of a long-term profile. Corrections and negative feedback often contain nuanced personal preferences, professional context, or sensitive examples that can accumulate into a detailed behavioral record.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The post-session workflow automatically merges analysis results into MEMORY.md and a knowledge base without a clear user-facing notice. This expands the retention surface beyond the immediate session and increases the risk that personal writing patterns, preferences, or session-derived inferences are propagated into broader long-term storage.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger conditions are broad enough to activate long-form mode for many ordinary writing requests, which can cause the agent to apply unintended workflows, persist cross-session state, and inject prior context when the user did not explicitly ask for that behavior. In a skill that reads MEMORY.md and resumes prior chapter state, over-triggering increases the risk of scope creep, privacy leakage across sessions, and user intent misclassification.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
Mandating Chinese terminology globally without user choice hard-codes an output constraint that can override user intent and produce incorrect or unusable content in other languages or domains. In a chapter-management protocol that enforces cross-chapter consistency, this restriction can propagate throughout the entire document and make recovery harder once writing has started.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
This prompt is written entirely in Chinese and explicitly frames the reader persona, scoring rubric, and output format in that locale without any opt-in or fallback. In a multi-user or general-purpose agent, that can override user language preference, degrade comprehension, and cause incorrect or exclusionary behavior when the user expects another language or cultural context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic modification of MEMORY.md but provides no user-facing notice or consent flow before writing persistent data. Silent persistence is dangerous because users may reasonably assume a one-shot content optimization task does not create a lasting profile, leading to unexpected data retention and cross-task leakage.

Ssd 2

Medium
Confidence
92% confidence
Finding
The README advertises 'AI-trace avoidance' and guidance to make output less detectable as AI-generated, which materially enables provenance evasion rather than ordinary quality improvement. In context, this can facilitate academic dishonesty, policy evasion, fraud, or deceptive impersonation by helping users conceal automated authorship.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the AI to persist and reuse user preferences, corrections, and writing-related history across sessions, creating a durable natural-language memory of user behavior. In context, this is more dangerous because the role is a writing assistant that encourages users to share rich personal and professional context, increasing the likelihood that retained notes contain sensitive information.

Ssd 3

Medium
Confidence
98% confidence
Finding
The style-cloning flow requires extracting an 8-dimension fingerprint from substantial user writing samples and storing it persistently, which creates a profiling and leakage risk beyond ordinary personalization. Because writing samples may embed personal, workplace, or identifying traits, persistent fingerprinting can expose more than surface-level preferences if memory is later reused, mishandled, or disclosed.

Ssd 3

Medium
Confidence
97% confidence
Finding
The prompt directs the AI to log user negative feedback and corrections into persistent files and later consolidate them into long-term memory, creating an accumulating record of user behavior and preferences. In a creative-assistant context, corrections can include confidential examples, personal voice markers, and sensitive instructions, making retention more dangerous than generic telemetry.

Ssd 3

Medium
Confidence
91% confidence
Finding
This prompt directs the sub-agent to consume complete session data, including session-state, user feedback, and historical MEMORY content, then synthesize structured outputs from it. That creates a real privacy and data-minimization risk because the agent may unnecessarily process and reproduce sensitive user-provided information across contexts, especially if the full history contains personal, confidential, or regulated data.

Ssd 3

Medium
Confidence
96% confidence
Finding
These instructions explicitly promote persistent logging of user preferences, quotes, feedback, scoring, and historical session details into MEMORY.md. Persistent storage of detailed behavioral and textual history increases the chance of long-term privacy leakage, profiling, unauthorized reuse, and prompt-surface exposure of sensitive content in later sessions, especially when the memory is reused automatically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.