故事接龙

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local story-writing tool, but its delete command can permanently remove files without enough safeguards.

Review before installing if you plan to store important or sensitive drafts. Keep separate backups, avoid using delete unless you have verified the exact story ID, and prefer a version that validates story IDs and adds confirmation or soft-delete before permanent removal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill documents persistent local storage and a delete command but does not clearly warn users that story content is retained on disk or whether deletion is permanent. This can lead to unintended data exposure on shared systems and accidental loss of user-created content, especially in a collaborative context where stories may contain sensitive or personal material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal