ClawHub

Chapter Outliner

Security checks across malware telemetry and agentic risk

Overview

The documented local chapter outliner is mostly coherent, but it includes an undocumented LLM script that can send manuscript project data to DashScope using an environment API key.

Review this skill before installing. Use scripts/generate_outline.py if you want local-only outline templates. Do not run scripts/generate_outline_llm.py unless you intentionally want DashScope generation and are comfortable sending outline, style, character, and chapter metadata from your writing project to that provider using DASHSCOPE_API_KEY.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises only outline generation, but the detected capabilities include environment access, file read/write, and network use without any declared permissions. That creates a trust and review gap: operators may approve or run the skill without realizing it can exfiltrate local project data or secrets via outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
This is a real security issue because the documented behavior omits materially sensitive actions: sending content to an external DashScope endpoint, reading DASHSCOPE_API_KEY from the environment, and consuming additional local chapter index data. In a writing-assistant context, project outlines, character files, and style data may be unpublished intellectual property, so undisclosed remote transmission and secret use significantly increase confidentiality and supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script reads local project content including outline.md, style.yml, character files, and chapter metadata, then sends that material to a third-party LLM service. Even though this is core functionality, it creates a real confidentiality and privacy risk because potentially unpublished manuscript content and character data leave the local environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script transmits project content to a remote LLM API without an explicit warning, interactive confirmation, or privacy notice at the point of use. In a writing workflow, users may reasonably assume files are processed locally, so silent transmission can cause accidental disclosure of sensitive drafts or proprietary content.

Unpinned Dependencies

Low
Category
Supply Chain
Content
rich
PyYAML
Confidence
95% confidence
Finding
rich

Unpinned Dependencies

Low
Category
Supply Chain
Content
rich
PyYAML
Confidence
99% confidence
Finding
PyYAML

Known Vulnerable Dependency: PyYAML — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
PyYAML

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal