Back to skill

Security audit

open-novel-writing

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese novel-writing helper that can create or overwrite project writing files, but the behavior is disclosed and aligned with its purpose.

Install only if you want an assistant that writes local novel project files. Use it in a dedicated folder, keep backups or version control, and be explicit about chapter ranges and overwrite expectations before using batch mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill describes file read/write behavior and structured local output paths, but no permissions are declared. That creates a trust and containment gap: a host may treat the skill as low-risk while it can still access or modify project files, including batch writes during automation. In a writing assistant context this is not inherently malicious, but undeclared filesystem capability can cause unauthorized overwrites, data loss, or unexpected access to user content.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The manifest presents the skill as a conversational novel-writing assistant, but the documentation expands into CLI-driven automation, filesystem management, standalone scripts, and automatic revision loops. This mismatch can mislead users and platform policy checks about operational reach, causing them to enable a skill that performs broader actions than expected. Because the extra behaviors include unattended batch file writes and rewriting, the impact is higher than a simple documentation inconsistency.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The metadata says the skill is 'not CLI-driven', yet later sections document direct CLI execution for bulk chapter generation. This inconsistency weakens user consent and operator understanding of how the skill can be invoked, especially in environments where CLI execution carries different risk controls than conversational use. In context, that makes accidental execution of bulk actions more plausible.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Actively publishing CLI commands after claiming the skill is not CLI-driven creates deceptive documentation and bypasses expectation-setting. Users or integrators may not apply the safeguards they would normally require for shell-invocable automation, such as path validation, dry-run behavior, or backup prompts. The context increases risk because these commands trigger multi-file writes and unattended chapter generation.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger phrases for automation are broad and overlap with ordinary user requests like '写5章' or '推进10章'. In an agent setting, overly generic triggers can cause unintended activation of high-impact workflows, leading to bulk content generation and file creation without the user realizing the full consequences. The danger is amplified here because the triggered flow performs repeated writes and revisions.

Vague Triggers

Medium
Confidence
74% confidence
Finding
Multiple module triggers are written as natural, broad conversational phrases without exclusion conditions. That makes it easier for unrelated discussion to be interpreted as an instruction to create files, generate chapters, or run review workflows. In a content-generation skill this can lead to unintended processing and project-state changes rather than direct system compromise, but it still presents a meaningful safety issue.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation advertises automatic multi-step batch writing and auto-saving, but does not warn users about overwrite risk, storage growth, cost, or the consequences of unattended runs. Missing risk disclosure matters because the workflow loops across planning, generation, review, and revision, potentially touching many files before a user notices a mistake. In this context the likely harm is accidental project corruption or unwanted mass output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The CLI examples enable bulk file-writing operations without any visible warning, dry-run mode, or confirmation requirement. Command-line invocation increases the chance of rapid unattended execution, especially when a path is supplied and multiple chapters are generated at once. In a local project environment, that can overwrite existing work or fill directories with low-quality outputs before intervention.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.