ClawHub
Back to skill

Security audit

Chapter Skeleton

Security checks across malware telemetry and agentic risk

Overview

The core chapter-skeleton helper looks scoped, but the package also includes under-disclosed pipeline and report-generation artifacts that could steer broader workflows.

Review this package before installing if your OpenClaw environment indexes bundled pipeline files. The main script appears safe for generating outline/chapter_skeleton.yml, but the package also contains broader pipeline routing and report-generation components that may create many additional workspace artifacts if activated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares no explicit permissions, but its instructions and metadata clearly require reading repository files, writing `outline/chapter_skeleton.yml`, and invoking `python scripts/run.py`, which implies shell execution. This creates a permission/capability mismatch that can bypass policy expectations and makes review and enforcement weaker, even if the intended behavior is legitimate.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements a full research-ideation and memo-generation workflow, which materially exceeds the declared skill scope of building a chapter skeleton only. Scope drift like this is dangerous because an agent may invoke the skill expecting a constrained, non-prose, chapter-level transform, but instead produce unrelated artifacts and behavior that can overwrite planning state, derail pipeline execution, or bypass operator expectations and guardrails.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The embedded markdown/report templates generate substantial prose sections such as memos, takeaways, discussion questions, and appendices, directly contradicting the manifest guardrail of 'NO PROSE' and 'chapter-level only'. In an agent setting, violating output-shape guardrails is security-relevant because downstream components may trust the manifest constraints when deciding what files can be written or what content is safe to ingest.

Scope Creep

Medium
Confidence
94% confidence
Finding
The code path is designed to produce multiple report and trace artifacts beyond the manifest-declared output path, which breaks the principle of least surprise and expands the write surface of the skill. Even without network access, extra file writes can poison workspace state, interfere with other skills' assumptions, leak intermediate reasoning into durable artifacts, or cause unintended downstream automation to consume unauthorized outputs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The pipeline is configured with very broad multilingual routing hints and `routing_default: true`, which increases the chance that this workflow is selected in loosely related 'review' or survey contexts without explicit user intent. In an agentic system, unintended activation can trigger a large multi-stage workflow, create or overwrite many artifacts, and steer the session into a high-cost or inappropriate process before the user confirms scope.

Missing User Warnings

Low
Confidence
74% confidence
Finding
The unit log records the full command line, including workspace path, unit ID, inputs, outputs, and checkpoint values. If those fields contain sensitive project names, internal filesystem layout, or confidential task metadata, they will be persisted to a workspace-local log file and may be exposed to other users or later tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.