Security audit

Story Long Write

Security checks across malware telemetry and agentic risk

Overview

This is a coherent long-form fiction writing helper, but it should be used with awareness because it can create and edit story project files and invoke optional helper agents/scripts.

Install only if you want an active writing workflow that can write chapters, update outlines/tracking files, and run local cleanup checks. Use it inside a dedicated story directory, keep backups or version control, be careful with generic “continue writing” prompts, and avoid relying on its adaptation advice to copy protected plot structure or wording.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The '剧情改编三步法' section explicitly instructs users to locate similar source works, decompose them into outlines, and adapt them for their own use, culminating in the claim that changing enough details makes it original. This can facilitate plagiarism or unauthorized derivative copying by operationalizing how to appropriate protected creative structure while masking the source.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The workflow explicitly instructs the skill to spawn an external `story-researcher` agent when a chapter revision touches factual details. That introduces a secondary tool/agent invocation capability that is not clearly bounded by the revision task itself, creating an escalation path where user-provided or chapter-embedded content could be forwarded to another agent with broader access or looser controls.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes very broad natural-language phrases such as '继续写' and '续写', which can easily appear in unrelated conversations. That can cause accidental activation of a powerful skill that reads and writes project files, invokes sub-agents, and runs local scripts, expanding the attack surface and potentially causing unintended file modifications.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The file is entirely authored in Chinese and begins with Chinese-only instructional content without any indication that language should follow the user's preference. In a general-purpose writing skill, forcing a specific locale can cause the agent to ignore user language, reduce usability, and create prompt-control behavior that overrides user intent.

Natural-Language Policy Violations

Medium

Confidence: 96% confidence
Finding: The file content is entirely in Chinese and provides no indication that the skill should adapt to the user's preferred language. In an agent setting, this can override user expectations, reduce accessibility, and cause the model to respond in a language the user cannot understand, which is a real quality and safety issue even if it is not directly malicious.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The instruction '读到哪里就照做' encourages unconditional execution of embedded directives, which is unsafe in agentic contexts because it weakens boundary checks and invites prompt-instruction overreach from reference material. In a skill file, this can cause the agent to treat documentation as mandatory operational commands rather than contextual guidance, increasing the risk of unintended behavior and scope drift.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The workflow declares broad trigger phrases such as '日更', '续写', and '继续写', which can overlap with ordinary conversation and cause the skill to activate unintentionally. In a skill that performs multi-step file reads, writes, and chapter generation without repeated confirmation, accidental activation can lead to unintended content generation or project file modification.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The workflow instructs the agent to update multiple tracking files and later execute local scripts against generated chapter files, but it does not require a clear user-facing warning or consent boundary before writes and script execution. In this context, the skill is more dangerous because it is designed to operate on a real project workspace and proceed automatically in batch mode, so a misfire or misunderstood request could modify files or run tooling unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.