Magic Quill

Security checks across malware telemetry and agentic risk

Overview

Magic Quill is a disclosed YAML generator that uses web lookups and writes an output file, with no evidence of hidden credential access, persistence, exfiltration, or destructive behavior.

Install only if you want an agent to run a local Node generator that contacts public web/search/API sources and writes a YAML mapping file. Keep --out inside the intended spells directory, avoid using --url with localhost or private/internal services, and review the generated YAML and listed reference URLs before enabling it with the Spellbook hook.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This script performs broad network discovery and scraping across user-supplied URLs, DuckDuckGo search results, Wikipedia, skills.sh, and multiple ClawHub endpoints, then recursively follows additional candidate links. In an agent-skill context, that behavior exceeds a simple local file generator and creates SSRF-style risk, unexpected external data access, privacy leakage, and supply-chain exposure because untrusted remote content directly influences generated output.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal