novel-writer

The skill consists of a main SKILL.md file and several supporting markdown files located in assets/templates/ and references/. All files are purely instructional markdown or templates, providing guidance for the AI on how to assist with novel writing. No executable code, scripts, or external calls were found.

1. Prompt Injection: No patterns indicative of prompt injection attempts (e.g., 'IMPORTANT: Ignore', 'CRITICAL: Override', role-play instructions) were found in any of the files. The instructions are clear and focused on guiding the AI's behavior for novel writing.
2. Data Exfiltration: No commands or instructions for accessing sensitive file paths (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or performing network operations (e.g., curl, wget, fetch) to exfiltrate data were found. All references are to internal markdown files within the skill package.
3. Obfuscation: No obfuscation techniques (e.g., Base64 encoding, zero-width characters, homoglyphs, URL/hex/HTML encoding) were detected in any of the files.
4. Unverifiable Dependencies: The skill does not instruct the agent to install any external packages (npm install, pip install, etc.) or download scripts from external URLs. The source field in SKILL.md refers to the origin of the skill's definition, not an active dependency to be fetched or executed by the agent.
5. Privilege Escalation: No commands like sudo, doas, chmod, or instructions for installing services or modifying system files were found.
6. Persistence Mechanisms: No instructions for modifying system configuration files, creating cron jobs, or other persistence mechanisms were found.
7. Metadata Poisoning: The metadata fields (name, description, risk, source) in SKILL.md are benign and do not contain any malicious instructions.
8. Indirect Prompt Injection: As with any LLM-based skill that processes user input, there is an inherent, general risk of indirect prompt injection if a user provides malicious input. However, the skill itself does not introduce any specific vulnerabilities or mechanisms that would exacerbate this risk beyond the standard LLM interaction.
9. Time-Delayed / Conditional Attacks: No conditional logic based on time, usage, or environment variables that could trigger malicious behavior was found.

In conclusion, this skill is a 'no-code' skill, meaning its functionality is entirely defined by natural language instructions and static markdown content, which inherently limits its attack surface and makes it safe from the types of code-based vulnerabilities typically found in executable skills.