Back to skill

Security audit

Onkos

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real novel-writing memory tool, but it needs review because it can read caller-supplied local files and delete or rewrite project data without strong built-in safeguards.

Install only if you want an agent to manage persistent local novel-project memory. Keep backups, review any imported settings or content paths, avoid pointing it at sensitive files, and require explicit confirmation before delete, clear, update, or model-download actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata describes a narrowly scoped novel-consistency engine, but this file exposes a much broader command surface for project administration, data mutation, deletion, analytics, and workflow orchestration. That scope mismatch is dangerous because users and host systems may grant trust, routing, or permissions based on the manifest’s limited purpose while the skill can influence or trigger substantially more powerful actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
These commands allow deletion of settings and related project data, which is a destructive capability not clearly required by the stated consistency-tracking purpose. In a skill expected to help with writing continuity, unexpected delete operations increase the risk of irreversible data loss, especially if invoked through natural-language routing or user misunderstanding.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Commands to abandon facts/hooks and delete all chapter scenes are clearly destructive and can erase or invalidate large portions of project state. This is especially risky here because the skill is framed as a writing-assistance tool, so users may not anticipate irreversible state changes from what appears to be routine workflow guidance.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill is described as a novel-writing consistency engine, but this entrypoint exposes broader state-changing operations such as project initialization, settings import/update/delete, graph mutation, and branch management. That scope expansion increases the chance an agent or user invokes destructive or privacy-affecting actions under a misleadingly narrow trust model, especially in an automated tool-calling environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `extract-file` action accepts an arbitrary `text_file` path and reads it directly with `open(...)` without constraining the path to project content, validating allowed directories, or checking file type. In an agent/skill context, this expands the tool from novel-entity extraction into a general local-file read primitive, which can expose secrets or unrelated system files if an upstream prompt or workflow can influence the argument.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The code exposes destructive operations that delete nodes and all connected edges in a shared SQLite database used for persistent memory. In the context of a novel-writing skill, broad CRUD against shared state exceeds a narrowly scoped consistency helper and increases the chance of unintended or unauthorized data tampering, corruption, or loss if the interface is invoked with untrusted input.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The CLI publicly advertises generic administration capabilities such as add, update, delete, export, and graph traversal, making the script a general-purpose database management surface rather than a narrowly bounded consistency tool. In an agent skill environment, this broader command surface can be abused by prompt-driven workflows or other components to modify persistent state beyond the user's intended task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The unified action handler accepts a user-controlled `content_file` path and reads it from the local filesystem, including relative paths resolved against the database directory. In an agent skill context, this grants arbitrary local file read capability unrelated to the stated novel-memory purpose, creating a path traversal and sensitive data exposure risk if an attacker can influence action parameters.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The initializer accepts an arbitrary --project-path and then creates multiple directories and files under that location with no restriction to a dedicated workspace or safety checks. In an agent context, this gives the skill broad filesystem write capability beyond narrowly scoped novel assistance, which can be abused to modify unintended locations or plant persistent artifacts on the host.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The auditor accepts a user-controlled content_file path and opens it directly without constraining it to the project directory or validating that it is an expected chapter source. In an agent environment, this enables local file read access to arbitrary files the process can access, which can disclose secrets, credentials, prompts, or system data unrelated to chapter auditing.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The suggestions action repeats the same unsafe pattern by reading any user-supplied content_file path and then processing its contents. Because this skill is meant for novel chapter quality analysis, broad local file reading is unnecessary and increases the chance that an attacker can exfiltrate sensitive local data through the tool's output.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation materially exceeds the declared skill purpose by providing a generic semantic embedding downloader, local model manager, and CLI. This capability mismatch is dangerous because users and reviewers may grant the skill broader trust than warranted, while the code silently introduces network retrieval and local file manipulation unrelated to the manifest's narrow novel-consistency framing.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This file invokes `curl` to fetch remote model files, which is a privileged capability not justified by the manifest's stated novel-writing role. In context, hidden subprocess-driven downloads increase supply-chain and transparency risk because they can pull unreviewed artifacts from external sources under the guise of a content-writing utility.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The compare operation calls analyze(text, "_temp_compare"), which persists a new profile to the style data file as a side effect. This violates the documented read-like behavior of comparison and can unexpectedly modify user data, overwrite prior temporary state, or leak compared text-derived metadata into persistent storage.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Writing a temporary profile to disk during comparison exceeds the expected scope of a comparison tool and creates an unintended data-retention channel. In this skill context, users may compare unpublished or sensitive text, so persisting a derived profile without explicit consent increases privacy and integrity risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad and include common phrases for brainstorming, revision, querying prior events, and quality feedback, which can cause the skill to activate in situations where native model behavior would suffice. In this skill, ambiguous activation is more dangerous than usual because activation can lead to shell-driven workflows, database writes, imports, and state mutation under a 'MUST use' policy.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation says natural-language requests like '写第15章' or '检查一下连贯性' can directly trigger operational behavior, but it does not warn users that plain-language inputs may execute commands. This increases the chance of unintended actions, ambiguous intent resolution, and accidental state changes without clear command-mode consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Destructive commands are presented without a prominent general warning about irreversible consequences. Without clear safety UX, users may invoke data-deleting operations assuming they are reversible editing helpers, leading to permanent loss of scenes, facts, or hooks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes a destructive delete capability that permanently removes characters, entities, relationships, facts, and foreshadowing, but it does not prominently warn about irreversible data loss or require confirmation/backup guidance. In a content-management skill that manipulates a novel project state, this increases the risk of accidental or socially engineered deletion of important project data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The delete_character method irreversibly unlinks matching JSON files without any confirmation, soft-delete, backup, or audit trail. In an agent context, a mistaken action mapping, prompt injection into tool selection, or ambiguous character name could cause unintended data loss that is difficult to recover.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`_clear_chapter` performs destructive deletion/superseding of scenes, facts, and hooks immediately based only on a chapter argument, with no confirmation, dry-run mode, authorization check, or rollback. In an agent-executed context, a mistaken or malicious prompt could cause irreversible data loss across multiple subsystems with a single command.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code performs many writes and directory creations immediately when invoked, with exist_ok=True and no explicit confirmation, preview, or overwrite warning. In an agent-driven environment this can surprise users, cause unintended changes to existing filesystem content, and make abuse of the write primitive easier.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code downloads executable model artifacts from remote URLs and does so without any user-facing warning, consent flow, or strict fail-closed integrity policy. This is especially risky because if hash configuration is absent or a redownload fails after checksum failure, the code can retain and use a previously corrupted file, creating a meaningful supply-chain compromise path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete path performs irreversible operations across multiple backends (knowledge graph nodes/edges, character files, facts, hooks, and project config) immediately after parsing a user-supplied file, with no confirmation gate, safety interlock, or rollback. In an agent skill context, where actions may be triggered indirectly from natural-language instructions or mistaken tool calls, this materially increases the risk of accidental or unauthorized mass data loss.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.