Back to skill

Security audit

Xuanhuan Novelist

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Chinese fantasy-novel writing skill, but users should understand that it reads drafts and creates or updates local project files during its workflow.

Install this only in a workspace that contains drafts you are comfortable having analyzed. Expect it to create a xuanhuan-novelist folder, save preferences, generate planning files and chapters, and automatically polish or rewrite generated chapters after you approve the planning and writing mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises no explicit permissions yet its workflow requires reading local files such as existing drafts, unfinished projects, and referenced documents. Hidden file-read behavior can surprise users and bypass informed consent, especially when the skill auto-scans for prior work. In a writing assistant context this is more dangerous because local drafts may contain sensitive unpublished or personal material unrelated to the current request.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose is a novel-writing assistant, but the workflow also performs local file inspection and validation tasks that are not clearly described to the user. This mismatch undermines user trust and can conceal broader data access or processing than expected, increasing the chance of unauthorized reading or modification of local content. Because the skill already describes autonomous operation, the undisclosed behaviors are more concerning in context.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill directs use of subagents and agent teams, expanding execution scope beyond a simple single-assistant writing role. Multi-agent orchestration increases complexity, makes data flow harder to audit, and can propagate user content and local context to additional agents without clear consent boundaries. In this skill, that risk is amplified because drafts and project files may already be auto-read and then shared across agents.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The workflow mandates fully autonomous completion and forbids user confirmation during major writing and rewrite phases. That removes an important safety checkpoint before extensive content generation or modification, especially when the skill may create files, continue prior projects, and rewrite chapters automatically. In context, this increases the likelihood of unwanted actions being taken on user content without review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The flow explicitly triggers on detecting chapter files in the user's working directory and allows automatic scanning of all chapter files. That expands the skill from user-requested writing help into autonomous local file discovery and content analysis, which can expose unrelated manuscript content without a clear, informed consent step tied to file access.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The workflow instructs creation of multiple structured analysis files in the project directory, introducing persistence beyond transient assistance. Writing derived files can leak sensitive story content, overwrite user files, or leave unexpected artifacts, especially since this behavior is not reflected in the manifest description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The flow instructs the agent to persist collected answers into `user-preferences.json`, creating storage and profiling behavior beyond the visible chapter-planning interaction. Because this write is not clearly disclosed or scoped to a strictly necessary function, it introduces an unnecessary privacy and transparency risk for users providing creative preferences.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The instruction to update preferences 'silently' creates an undocumented side effect while the user is only shown a summary of story information. Hidden state changes undermine user awareness and trust, and can cause the user to disclose information under the false impression that it is only being used transiently within the current interaction.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase includes broad natural-language requests such as '帮我写一部玄幻小说', which can overlap with ordinary conversation and cause unintended activation. Over-broad invocation increases the chance the skill engages without clear user intent, potentially causing unexpected processing of user content or file-writing workflows.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README states that existing draft content will be automatically analyzed for style and setting extraction, but it does not clearly warn users that pasted or provided manuscript text will be processed and structured into derived files. This can create privacy and expectation issues, especially if users supply unpublished or sensitive drafts without realizing the extent of analysis and retention.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation wording is broad enough that the skill could trigger on generic fiction-writing requests without clear boundaries. Overbroad invocation raises the chance that users engage the skill without understanding its autonomous behaviors, file access, or project-management side effects. The context makes this somewhat more risky because the skill is not merely conversational; it may inspect and create files automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it will automatically detect existing chapters and unfinished projects, but the user-facing description does not warn that local content may be read. This can lead to silent intake of unrelated or sensitive drafts, creating privacy and confidentiality risks. In a creative-writing context, unpublished manuscripts and personal notes are often especially sensitive intellectual property.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow includes automatic project-folder and file generation without a clear warning about filesystem changes. Unannounced writes can clutter user environments, overwrite expectations, or create artifacts containing sensitive generated content. This is more dangerous here because the workflow appears designed for long-running autonomous output, increasing the volume of unintended changes.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill promises fully automatic generation and up to three rounds of automatic rewriting without clearly warning users about the extent of autonomous content modification. Even if intended to improve quality, this can overwrite user expectations, alter style, or produce large volumes of content without checkpoints. In context, the danger is mainly loss of control and unexpected modifications rather than direct system compromise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow describes automatic scanning of the working directory for .txt/.md chapter files without an explicit warning that local files will be read. Even in a writing skill, silent discovery and inspection of local content violates the principle of least surprise and may capture sensitive drafts or unrelated notes stored in the same directory.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs generation of several files in the project directory but does not clearly warn the user that data will be written to disk. Undisclosed writes create privacy, integrity, and surprise risks because extracted character, plot, and style summaries may persist locally and could conflict with existing project structure.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation condition is broad enough that the skill may trigger on generic fiction-writing requests and immediately begin scanning the workspace, loading preferences, and inspecting files before the user clearly intended to invoke this specific skill. In this skill’s context, that increases the chance of unintended access to local drafts and project directories, creating privacy and overreach risks rather than direct code-execution risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Silent persistence of user preferences without any warning or consent is a genuine privacy issue. Even if the data seems low sensitivity, accumulated preference data can still be used to profile users, shape future interactions, or persist unexpectedly across sessions without their knowledge.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file is entirely in Chinese and does not offer a language choice or clearly document that the skill is intentionally restricted to Chinese-speaking users. This can cause users or downstream agents to misunderstand prompts, options, or safety-relevant configuration steps, increasing the chance of misuse or incorrect operation. In this context, the risk is limited because the content is a fiction-writing workflow rather than a privileged or code-executing skill.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The flow instructs the agent to create and later delete local files (`.pending-title`, project directory naming, and planned output files) without any explicit user warning or consent checkpoint about filesystem modifications. While this appears intended for state persistence and workflow continuity rather than harm, silent local writes can surprise users, leak sensitive story content to disk, or violate environment expectations in restricted runtimes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The flow explicitly instructs deletion of `{base}/.pending-title` after reading it, but provides no user-facing notice, confirmation, or guardrails about what is being removed. Even though the target appears narrow, silent file deletion in an agent workflow is risky because path resolution mistakes, symlink abuse, or unexpected reuse of that filename could cause unintended data loss.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to update project files and create chapter files automatically without any user-facing disclosure at the point of action. Silent writes can surprise users, overwrite expected state, or cause unintended repository changes, especially because the flow also resumes from prior status and modifies planning artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The serial loop requires continuous chapter-by-chapter file updates with an instruction not to stop or ask the user for confirmation. This creates a risk of large-scale unattended modifications, making mistakes or prompt injection effects propagate across many files before the user can intervene.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly performs automatic file edits, JSON status changes, and chapter rewrites without requiring user confirmation or clearly warning that project files will be modified. In an agent setting, this increases the risk of unintended destructive changes, repeated rewrites, and silent corruption of user content, especially because the loop allows multiple repair passes with no approval gate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly states that after each Q&A layer, the assistant will 'silently' sync answers into a persistent preference file. This creates undisclosed collection and retention of user data at the point of interaction, which is a privacy and consent failure even if the data is not highly sensitive. Because the data is stored across sessions and linked to creative history and personal style preferences, users may reasonably be unaware of ongoing profiling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.