← Back to Skills Marketplace
143
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install novel-forge
Description
Long-form novel workflow for creating, continuing, resuming, and repairing serialized fiction with externalized project state, role-to-model mapping, worldbu...
Usage Guidance
What to consider before installing:
- The skill is coherent with its advertised purpose (a stateful long-form novel workflow) and the included scripts implement project discovery and scaffolding.
- However, SKILL.md and the scripts read local configuration and workspace environment variables that were not declared in the skill metadata. In particular the skill will (by default) read /root/.openclaw/openclaw.json and check OPENCLAW_WORKSPACE / NOVEL_FORGE_WORKSPACE / CLAUDE_WORKSPACE or ~/.openclaw/workspace, ~/.claude/workspace. That can expose local model/provider inventory and other config present in those files.
- The skill writes project files (project.json, state/current.json, chapters/*.md, worldbuilding.md, etc.) into a workspace/novel directory. This is expected for a scaffold/orchestrator, but be aware it will create and modify files in your workspace.
- There is no remote network exfiltration code in the provided scripts and no install-time downloads, but because the skill reads system config you should:
1) Inspect the actual /root/.openclaw/openclaw.json (or equivalent on your system) to confirm it contains only non-sensitive inventory metadata and no secrets you don't want read.
2) If you are uncomfortable with the skill reading that file, request the skill author to make the config path optional or to declare the required config paths/env vars in metadata so you can consent.
3) Run the bundled scripts in a sandbox or test workspace first to observe behavior (discover_projects.py, scaffold_project.py, show_runtime_inventory.mjs are localized and print JSON).
- If you need higher assurance, ask the author to update metadata to declare required config paths and env vars, or to add an explicit user prompt before reading system-level config. If you trust the author and the workflow, the skill appears usable; if you prefer minimal exposure, do not install it or run it only in an isolated workspace.
Capability Analysis
Type: OpenClaw Skill
Name: novel-forge
Version: 2.0.0
The skill bundle is classified as suspicious primarily due to its requirement to read and process the sensitive system configuration file `/root/.openclaw/openclaw.json` via `scripts/show_runtime_inventory.mjs`. This file typically contains API keys and internal system metadata; exposing its contents to the AI agent and user constitutes a significant information disclosure vulnerability. While the stated intent is to provide a model inventory for the 'multi-agent' workflow described in `SKILL.md`, the high-privilege access to system-level configuration files is a risky capability that could be abused, although no explicit evidence of intentional data exfiltration or remote code execution was found.
Capability Assessment
Purpose & Capability
The skill is a stateful novel project manager and the included scripts (scaffold_project.py, build_context_pack.py, discover_projects.py, show_runtime_inventory.mjs) implement expected project discovery and scaffold functionality. Reading a local model inventory to recommend role→model mappings is coherent with the stated multi-agent workflow. However, the SKILL.md explicitly instructs reading /root/.openclaw/openclaw.json and persisting role→model mappings in project state; those config path accesses are not declared in the skill's metadata (required config paths/env vars are listed as none). This mismatch is plausibly an oversight but should be called out.
Instruction Scope
SKILL.md instructs the agent to read /root/.openclaw/openclaw.json and to run scripts/show_runtime_inventory.mjs before asking for model mapping. The runbook and scripts also instruct discovery of projects under a workspace derived from environment variables (OPENCLAW_WORKSPACE, NOVEL_FORGE_WORKSPACE, CLAUDE_WORKSPACE) or default paths in the user's home directory. These instructions cause the agent to read local configuration and workspace files (project.json, state/current.json, etc.). The skill also tells the main session to persist mappings and state files. The instructions therefore access filesystem paths and environment variables beyond what the skill metadata declares, which is a scope mismatch that could lead to unexpected reads/writes of user files.
Install Mechanism
No install spec is present; this is an instruction-plus-scripts skill. No network downloads or package installs are specified, and the code files are included with the skill bundle, so there is no external install-time execution risk from remote archives.
Credentials
The skill declares no required environment variables or config paths but the scripts and SKILL.md expect and read environment variables and a well-known config file. discover_projects.py reads OPENCLAW_WORKSPACE / NOVEL_FORGE_WORKSPACE / CLAUDE_WORKSPACE and falls back to ~/.openclaw/workspace or ~/.claude/workspace; show_runtime_inventory.mjs loads /root/.openclaw/openclaw.json by default. These are environment/config accesses that should have been declared in requires.env/requires.config; they may expose local config data (model/provider inventory) and read/write files under the user's workspace. No external credentials are requested, and there are no network exfiltration endpoints in the provided code, but the undeclared access to system config and env is disproportionate to the metadata.
Persistence & Privilege
The skill expects to create and update project files (project.json, worldbuilding.md, characters.md, outline.md, style.md, memory.md, state/current.json, chapters/*.md) inside a workspace/novel directory. That is consistent with a project scaffolder/orchestrator. It does not request always:true or other elevated platform privileges. It will persist role→model mappings and project state locally by design; this behavior is expected but should be accepted explicitly by the user because it writes files to your workspace.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install novel-forge - After installation, invoke the skill by name or use
/novel-forge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Release 2.0.0.
v1.0.1
Release 1.0.1: enforce exact slug/name, keep bilingual quick start, and preserve external state workflow.
v1.0.0
Initial public release: bilingual quick start, external state machine, single-agent/multi-agent support, and project-path hardening.
Metadata
Frequently Asked Questions
What is novel-forge?
Long-form novel workflow for creating, continuing, resuming, and repairing serialized fiction with externalized project state, role-to-model mapping, worldbu... It is an AI Agent Skill for Claude Code / OpenClaw, with 143 downloads so far.
How do I install novel-forge?
Run "/install novel-forge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is novel-forge free?
Yes, novel-forge is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does novel-forge support?
novel-forge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created novel-forge?
It is built and maintained by 咲鹏 (@228998098); the current version is v2.0.0.
More Skills