Back to skill

Security audit

Novel Architect

Security checks across malware telemetry and agentic risk

Overview

This looks like a novel-writing skill, but the package ships many extra local automation, host-inspection, publishing, cleanup, and self-evolution tools that are not clearly scoped to that purpose.

Install only if you are comfortable reviewing and controlling its local scripts. Use it in an isolated project, pass an explicit bookRoot, avoid running npm scripts blindly, and disable or remove self-evolution, host-profile, diagnostics, cleanup, publishing, and CDN-rendering paths unless you intentionally need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (107)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script injects a remote Mermaid CDN script into generated HTML, causing preview/build output to execute third-party JavaScript at render time. This expands the trust boundary and creates supply-chain and privacy risk: opening the generated HTML or rendering it in Puppeteer may fetch and run code from an external host not disclosed by the manifest.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
For a writing skill, loading external scripts from jsDelivr is not strictly necessary and introduces avoidable network execution during preview/PDF generation. Even if used only for Mermaid rendering, any compromise or unexpected change in the CDN-delivered asset could affect build integrity or leak metadata through outbound requests.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The package metadata describes a broad 'book/manual/whitepaper/report' toolchain and branding unrelated to the declared novel-architect skill. This kind of scope mismatch is dangerous because it can cause operators or hosts to grant capabilities based on a misleading manifest, hiding additional behaviors and increasing the chance of unintended execution paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Publishing, packing, marketplace, and release scripts materially expand the operational surface beyond a novel-writing architecture skill. Even if not directly malicious, these capabilities enable artifact packaging and distribution, which can facilitate unauthorized deployment or make hidden functionality easier to propagate.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
WeCom scene-pack administration scripts are not justified by the stated novel-writing function and indicate extra administrative capability. In a user-facing writing skill, unrelated admin tooling widens the trusted surface and can create opportunities for misuse or accidental execution in environments where such integrations exist.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This file extends a novel-writing skill into entitlement, balance, unlock-state, and upgrade/activation-code flows that are outside the declared writing workflow. That increases the skill’s behavioral scope and can mislead users into interacting with account-like or monetization logic they did not expect, creating integrity and trust risks even if no direct payment code is present here.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code actively generates upgrade and purchase-adjacent prompts such as activation-code recharge and unlock messaging, despite the skill being described as a writing assistant. In an agent context, unsolicited upsell behavior can manipulate user decisions, blur system boundaries, and create deceptive or policy-violating commercial interaction paths.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When `--include-host-profile` is enabled, the script reads from `~/.workbuddy` and injects a host-level user profile summary into the generated `session-resume-brief.md`. That broadens data collection beyond the stated book/project memory scope and can expose unrelated personal or cross-project context to later AI sessions, creating an unnecessary privacy and data-minimization risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script can recursively delete files and directories across the project tree, including build artifacts and temp directories, which is unrelated to the advertised novel-writing functionality of the skill. In an agent context, exposing destructive filesystem operations increases the blast radius if the script is invoked unintentionally or by a prompt-injected workflow, causing loss of project data or release artifacts.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header claims the tool only removes data unrelated to user functionality, but the implementation also deletes ZIP packages from dist via cleanupDuplicateFiles, including release artifacts that may be the final deliverables. This mismatch is dangerous because operators may trust the documentation and run the script, unintentionally destroying packaged outputs they expected to preserve.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script gathers and prints environment details such as the user's book root, .fbs presence, host capability metadata, WorkBuddy home/settings paths, enabled plugins, and binary toolchain information. For a novel-writing skill, this is outside the core functional need and can expose sensitive local environment metadata that may aid fingerprinting, targeted follow-on attacks, or privacy leakage even if manuscript text is not collected.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The header claims the diagnostics package excludes manuscript content, but the output still includes the user's bookRoot path and related .fbs path information. Even with home-directory redaction, filesystem paths can disclose project names, directory structure, storage locations, or other identifying metadata, making the documentation materially misleading.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script can overwrite repository files based on heuristic encoding guesses and replacement-character scrubbing, which is a state-changing capability unrelated to a novel-writing skill's core function. Because writes occur directly to source/content files without interactive confirmation, backup, or strict allowlisting, a user or automation invoking the script could unintentionally corrupt or alter project data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file introduces a repo-scanning and file-repair utility that is outside the declared novel-architecture workflow, expanding the skill's effective capabilities beyond user expectations. That mismatch increases supply-chain and trust risk because hidden or unrelated filesystem modification features can be abused by downstream automation or surprise operators reviewing the package only by manifest description.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a self-evolution control surface, rollback operations, and methodology knowledge management that are unrelated to the declared novel-writing purpose. In an agent skill, hidden or unjustified self-modification capabilities expand the trust boundary and can enable unauthorized behavior changes, persistence, or future abuse even if no immediate exploit is shown in this file alone.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code can trigger internal evolution workflows and mutate persistent configuration under .fbs, which means the skill can alter its own future behavior outside the user-facing novel-writing scope. In this context, self-updating behavior is especially risky because it creates a path for unreviewed capability drift and unexpected state changes in response to natural-language commands.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill fetches external methodology knowledge for internal evolution domains that are not part of the advertised writing workflow. Pulling external content into internal capability decisions increases supply-chain and prompt-injection risk, especially when the fetched knowledge may later influence code, configuration, or behavior updates.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code tells the user that confirmation is required before starting a potentially destructive evolution process, but then proceeds automatically with a hardcoded assumption of confirmation. This is a deceptive safety control: operators may believe consent is enforced when it is not, enabling unauthorized state changes from a single natural-language trigger.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The rollback flow presents a version-selection prompt but silently rolls back to the latest completed entry without waiting for user input. Because rollback is a destructive state change, this mismatch between UI and behavior can cause unauthorized restoration of older state and loss of intended updates.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code reads configuration from and writes ledger data to arbitrary filesystem paths supplied by arguments, with no path restrictions, trust boundaries, or warnings. In an agent or hosted environment, this can expose sensitive local files, overwrite unintended files, or persist user data outside expected locations, which is more concerning because the declared skill purpose does not justify broad filesystem access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script is materially unrelated to the declared novel-writing skill and instead presents a faux 'Phase 2' system optimization/security runner. In an agent-skill context, hidden or off-scope operational code increases supply-chain risk because it can mislead reviewers about the skill’s true behavior and normalize execution of unexpected administrative scripts.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The code reports optimization success using simulated timings and hardcoded claims, creating a false assurance that meaningful UX/security work has been completed. This is dangerous because operators may rely on fabricated validation results when deciding to deploy or trust the system.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security section claims fine-grained access control, audit logging, monitoring, alerting, data isolation, and encryption, but none of those controls are actually implemented beyond a trivial in-memory permission lookup. Such false security signaling can cause teams to believe sensitive protections exist when they do not, materially increasing the chance of insecure deployment.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file’s stated purpose and exposed subcommands clearly target enterprise/operations workflows such as record preflight checks, WeCom scene-pack administration, credits ledgers, session lifecycle handling, and host capability detection, which are unrelated to the declared novel-writing skill. This kind of capability mismatch is dangerous because it can smuggle unexpected operational tooling into a benign-seeming skill, increasing the chance of unauthorized data access, environment probing, or misuse by a host agent that trusts the manifest description.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This bridge centrally dispatches to multiple subprocess-invoked scripts, including admin and host-detection components, creating a broad execution surface behind a single entrypoint. In the context of a writing skill, this is risky because it enables hidden orchestration of unrelated scripts that may inspect the environment, manipulate operational state, or access data beyond what a user would expect from a novel-generation tool.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/audit-entry-performance.mjs:37

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/book-health-snapshot.mjs:52

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/delivery-chain.mjs:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/env-preflight.mjs:57

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/fbs-cli-bridge.mjs:27

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/fbs-doctor.mjs:25

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/init-project-memory.mjs:55

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/intake-router.mjs:118

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/launch-presentation-preview.mjs:187

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/channel-pack.mjs:283

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/git-workspace-changes.mjs:24

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/lib/pack-skill-gates.mjs:150

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/midterm-execution-chain.mjs:61

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/polish-gate.mjs:259

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/publish-clawhub.mjs:65

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/quality-audit-incremental.mjs:184

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/quality-panorama-orchestrator.mjs:342

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/run-p0-audits.mjs:82

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/s3-guard.mjs:84

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/s3-start-gate.mjs:142

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/smoke-pack-verify.mjs:14

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/standard-execution-chain.mjs:109