Security audit

Novel Studio 小说工作室

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Chinese novel-writing workflow that reads and writes local manuscript project files for its stated purpose.

Install this only for a dedicated novel-writing workspace. Expect it to read project files and create or update manuscript-related files, so keep backups or version control and avoid pointing it at a broad personal folder.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (22)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation states that the AI will automatically create project files and initialize continuity artifacts without an explicit consent checkpoint or warning about filesystem side effects. In agentic environments with write capabilities, this can lead to unexpected file creation or modification in user-specified paths, which is risky if the path is wrong, overly broad, or sensitive.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are broad enough to activate on ordinary user discussion about books, platforms, or marketability, which can cause the agent to engage unintentionally and steer the conversation without clear user intent. In a multi-agent skill system, this increases the risk of prompt-routing mistakes, context pollution, and accidental file access or writes by the wrong agent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list is broad enough to match common conversation terms like '角色', '人物', or '性格', which can cause the skill to activate outside the user's actual intent. Unintended activation matters here because the skill has file read/write capabilities and may begin project-modifying behavior when the user was only discussing characters casually.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs itself to read project files and write output to a fixed project path, but it does not include a user-facing warning or consent step before modifying files. In an agent environment, silent writes can overwrite work, create unwanted artifacts, or be combined with accidental activation to change project state without clear authorization.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger terms are very generic (e.g. '版权', '原创', '检测') and can cause this skill to activate in many unrelated conversations. In an agent system, over-broad auto-activation can lead to inappropriate tool use, unnecessary file access, and context hijacking where the copyright advisor responds when another skill should handle the task.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger condition matches very common words like “写”, “创作”, “正文”, and “更新”, which can cause the skill to auto-activate during ordinary conversation rather than only when the user explicitly wants this agent. In a multi-agent writing studio, that increases the chance of unintended file access and unintended content generation, especially since this skill is configured to read and write project files.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list includes broad, everyday terms such as '检查' and '编辑', which can cause the skill to activate in contexts far beyond proofreading requests. In an agent system, unintended activation can expose file access behaviors and cause the agent to read or modify project files when the user did not explicitly intend to invoke this skill.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description is broad enough that it could be invoked by ordinary requests about writing, memory, or project organization, causing the agent to enter a file-reading and file-writing workflow unexpectedly. Because the skill has file.read, file.write, and file.search capabilities and is designed to modify project state, ambiguous invocation boundaries increase the chance of unintended workspace changes.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill repeatedly instructs itself to create and overwrite files such as project.md, continuity/fact_database.md, chapter context files, and project status without requiring a clear warning or confirmation before modifying existing workspace data. In a real agent environment, this can lead to accidental overwrites, unauthorized persistence, or destructive edits triggered by an imprecise or misunderstood user request.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger keywords are broad enough that the skill may auto-activate in many ordinary discussions involving mystery, clues, or twists, even when the user did not explicitly request this specialist. Unintended activation can cause workflow hijacking, irrelevant file reads, or unnecessary context access, which is a real security and safety issue in multi-agent systems.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The activation condition uses very broad generic keywords like '大纲', '结构', and '规划', which can cause the skill to trigger in conversations that are not actually requesting this agent. In a multi-agent environment, over-broad routing can lead to unintended file reads/writes and inappropriate disclosure or modification of project content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill declares output paths and has file.write capability, but the workflow does not clearly require explicit user consent before creating or modifying project files. This can result in silent file generation or overwriting, which is risky in agentic systems because users may not realize persistent changes are being made.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger conditions rely on very broad generic terms such as '情节', '冲突', '高潮', and '设计情节', which are common in ordinary conversation and writing tasks. In an agent system, this can cause unintended activation, leading the skill to read project files or participate in workflows when the user did not explicitly request this specific agent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill declares file.write capability but provides no user-facing constraints on what may be written, where outputs are stored, or when writes require confirmation. Because the workflow also instructs the agent to read multiple project files, an unintended or over-broad activation could propagate into unauthorized modification of project content or overwrite generated materials.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are overly broad: terms like “优化”, “改写”, and “美化” commonly appear in ordinary conversation and can activate the reviser skill unintentionally. In a multi-agent writing studio, this can cause the wrong agent to take control, perform unsolicited file reads/writes, or modify content when the user did not explicitly request revision.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The auto-activation keywords are overly broad everyday terms such as ‘恋爱’, ‘CP’, ‘表白’, ‘男友力’, and ‘女友力’, which can match ordinary conversation and invoke the skill outside the user’s actual intent. In a multi-agent writing environment, this can cause inappropriate routing, unnecessary file reads of project materials, and incorrect influence on downstream creative outputs.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The auto-activation triggers are broad keyword matches such as 'AI', '人工智能', and '未来科技', which are common in many benign user requests. This can cause the sci-fi specialist to activate unexpectedly, leading to incorrect routing, context pollution, or unnecessary file reads in unrelated tasks. In a multi-agent writing studio, unintended activation increases the chance of scope creep and accidental exposure of project context to the wrong specialist.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger conditions are broad, common writing-related terms such as '风格', '文笔', and '写法', which can cause the skill to activate in ordinary conversation rather than only when the user explicitly wants this agent. In an agentic environment, this increases the chance of unintended file reads/writes and workflow side effects, especially because the skill is configured to generate and save output files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill has file.write permission and explicitly writes a style-specification document into the project directory, but the user-facing behavior does not require a clear notice or confirmation before modifying project files. This can lead to silent or unexpected changes to user content, which is risky in multi-agent or automated workflows where activation may already be ambiguous.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly directs output to a project file via `[项目目录]/世界观设定.md` and the metadata includes `file.write`, but there is no user-facing notice, confirmation step, or scope restriction around modifying files. In an agent setting, silent writes can surprise users, overwrite existing content, or be abused through indirect prompt injection from project context to persist unwanted content into the workspace.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The auto-activation trigger matches very common terms such as '世界观', '设定', '地图', and '势力', which can appear in ordinary discussion without a request to invoke the skill. Overbroad triggering increases the chance the agent activates unexpectedly, reads project files, and produces or writes content without clear user intent.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger list is broad enough that ordinary discussion of common xianxia terms could automatically invoke this skill even when the user did not explicitly request it. In a multi-agent workflow, that can cause unintended tool-enabled participation, unnecessary file reads/writes, or routing to a specialized agent outside the user’s intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal