v2.2.0

fireseed-novel

BenignClawScan verdict for this skill. Analyzed May 3, 2026, 2:27 AM.

Analysis

This instruction-only skill is coherently aimed at publishing and managing novels on Fireseed, but users should notice that it uses a Fireseed token to create, edit, publish, and delete account content.

GuidanceInstall or use this only if you want the assistant to publish and manage works on fireseed.online. Provide a Fireseed token only for the account you intend to use, review generated chapters and target IDs before publishing or deleting, and prefer the Authorization header over putting tokens in request bodies when your tool supports it.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

commands: “发布单章或批量上传 MD 文件”, “修改已发布的章节”, “删除/恢复小说”

The skill documents API actions that can publish, modify, bulk upload, and delete Fireseed account content. This matches the stated publishing purpose, but these are high-impact actions the user should intentionally approve.

User impactIf used, the assistant can create or change novels and chapters on the user’s Fireseed account, including public publishing and soft deletion.

RecommendationUse the skill only when you intend to manage Fireseed content; review generated text, novel/chapter IDs, and delete operations before allowing API calls.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

POST /api/auth/token ... {"username":"你的用户名","password":"你的密码"} ... “Token 有效期 7 天”

The skill uses Fireseed credentials or a token to authenticate API requests. This is expected for the integration, but the token grants account-level publishing and management authority for its lifetime.

User impactAnyone or any agent with the token could act on the Fireseed account until the token expires or is replaced.

RecommendationUse a dedicated Fireseed account or token where possible, avoid sharing the password unnecessarily, and rotate the token if it may have been exposed.