ClawHub

Fanfic Writer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate novel-writing skill, but it needs Review because promised human approval gates are not actually enforced before some file writes and state commits.

Review before installing. Use it only in a workspace you are comfortable letting the skill modify, do not rely on manual mode as a hard approval gate before every internal step, and keep run directories private because prompts and manuscript text are retained locally and may be sent to your configured OpenClaw model provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The FileLock class advertises cross-platform exclusive locking, but on Windows the locking branch does not actually acquire any lock and simply proceeds. This can cause callers to believe mutual exclusion exists when it does not, leading to race conditions, corrupted state, or inconsistent writes in concurrent runs. In this skill, which manages state, snapshots, and transactional file updates, that mismatch is materially security-relevant because integrity and rollback guarantees may be bypassed under concurrent access.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The helper treats empty input as approval (`''` returns True), so merely pressing Enter allows the workflow to continue despite the CLI claiming each phase requires explicit human confirmation. In this skill context, those confirmations are positioned as a safety/control boundary before generating or writing files, so implicit approval weakens that safeguard and can enable unintended progression in semi-automated or scripted environments.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The lock implementation does not provide exclusive access as documented: when a lock file exists and the owning process is still alive, acquire() still unlinks the existing lock and proceeds. This allows concurrent processes to steal the run lock, leading to race conditions, state corruption, lost updates, and incorrect resume/recovery behavior in a workflow that relies on serialized access to run data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The class documentation explicitly promises human confirmation in the phase flow, but the implementation only prints a notice in manual mode and then continues through generation, saving, and state commit without any enforced approval gate. In an agent skill that writes files and mutates persistent state, this creates a trust-boundary failure: operators may rely on documentation for oversight that does not actually exist.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The write_chapter flow runs sanitizer, outline generation, draft generation/QC, save, and state_commit automatically, despite the skill metadata claiming '每个阶段人工确认' and despite comments suggesting manual review. This mismatch is especially risky because the code performs persistent file writes and updates workflow state, so a user or orchestrator expecting human-in-the-loop safeguards can be bypassed and undesired content or corrupted project state can be committed automatically.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The quick-start trigger phrase is a normal conversational request ('帮我写一本都市灵异小说') that can easily overlap with ordinary user intent. If the platform uses broad phrase matching to invoke skills, this can cause accidental activation of a high-capability workflow that creates files, uses configured models, and initiates multi-stage processing without the user explicitly opting into this specific skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function writes a generated quality-check prompt containing substantial portions of the outline, world-building, and chapter text to a persistent file on disk. This can expose sensitive or copyrighted manuscript content to unintended local users, backups, logs, or downstream tooling, especially because there is no minimization, consent gate, or warning that full book content will be materialized into a separate artifact.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill forwards prompts to externally supplied model-call interfaces from `oc_context` without any disclosure, consent, or trust-boundary validation in this file. Because book content, outlines, and potentially sensitive user-provided text may be sent to arbitrary callbacks or remote services, users may unknowingly expose private data to third parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The auditor persists the fully assembled prompt to disk, and that prompt is built from templates, prior chapter text, context blocks, summaries, inventory, and other user/content-derived state. In a writing assistant, prompts can easily contain sensitive user material, proprietary story drafts, or hidden system instructions, so verbatim logging creates a real confidentiality and retention risk if logs are accessed by other users, backup systems, or support tooling.

Ssd 3

Medium
Confidence
95% confidence
Finding
The design makes prompt audit logging mandatory and stores final prompts verbatim, which guarantees retention of any sensitive material included in user input, prior content, or internal instructions. Because the skill assembles long-form fiction context from multiple state files, the captured prompt may contain substantial private or proprietary content, increasing exposure in the event of filesystem access, log aggregation, or accidental disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal