Back to skill

Security audit

Blog Writer (深度长文写作)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Chinese blog-writing workflow that saves drafts locally, can read a user-chosen reference folder, and optionally exports or archives articles, with no evidence of deception or exfiltration.

Install this only if you want a local writing workflow that saves Markdown drafts, can read style samples from a reference folder, may search the web for supporting evidence, and can export or archive final articles. Use a dedicated reference directory with only non-sensitive writing samples, and ask the agent to confirm exact paths before exporting, deleting generated export files, or archiving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation instructs the agent to read local files, write drafts and exports, and invoke shell commands, but it declares no permissions or equivalent capability boundaries. This creates a transparency and governance gap: callers may invoke a seemingly simple writing skill without realizing it can access the filesystem and execute external tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The advertised purpose is article writing, but the documented behavior also includes file transformation, export generation, archival copying, cleanup, and invocation of pandoc. That mismatch is dangerous because users and orchestrators may grant or trigger the skill under a low-risk assumption while it performs broader local processing and command execution than expected.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The skill authorizes broad web searching for evidence gathering without clearly constraining scope, domains, or user consent. In context this is not inherently malicious, but it expands data access and may cause unintended outbound retrieval or incorporation of untrusted material beyond what a user expects from a local writing assistant.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill manages a local reference-library path via an environment variable and automatically reads from that directory for style calibration. This is broader than simple text generation and can expose unrelated local content if the path is misconfigured, overly broad, or points at sensitive files.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The workflow includes persistent draft writing, review file reloads, export conversion, cleanup, and archival operations, which materially exceed a passive writing assistant role. These side effects increase the chance of unintended file creation, modification, deletion, or retention if the skill is triggered casually.

Vague Triggers

High
Confidence
84% confidence
Finding
The trigger guidance says to prefer invoking the skill when uncertain and covers very broad generic writing requests. Overbroad activation increases the chance that this file-writing, file-reading, and shell-using skill runs in situations where a simpler non-side-effecting assistant response would have been safer.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The 'when to use' section includes a catch-all for any long-form writing need, with no exclusions or safety qualifiers. In context this mainly raises the risk of unnecessary invocation and unintended side effects rather than a direct exploit, but it still weakens control over capability use.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill instructs automatic reading of user-specified reference files for style calibration without a prominent warning about privacy, scope, or potential sensitivity of local files. This can lead users to expose more local content than intended, especially because the reads are framed as automatic and routine.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill says it will directly write drafts to local files as part of normal operation, without an explicit overwrite, path-safety, or confirmation warning. Automatic writes increase the risk of unintended file creation, name collisions, and persistence of sensitive user content on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The archiving step includes deletion of export files from drafts without an explicit warning or confirmation. Any undocumented deletion behavior is risky because users may rely on those files for publication workflows and may not expect the writing skill to remove artifacts automatically.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.