ClawHub

Language Learning Mastery

Security checks across malware telemetry and agentic risk

Overview

This is a language-tutoring skill whose files match its stated educational purpose and do not contain executable code or hidden high-risk behavior.

Installers should be comfortable sharing language goals, practice answers, progress history, and any pronunciation recordings with the agent or platform running the skill. Use explicit skill invocations if your assistant auto-routes skills, and ask to switch back to your preferred language whenever immersion is not helpful.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The quick-start phrases are extremely generic user utterances such as 'Quiz me' and 'What's my progress?', which overlap with normal conversation and could cause the skill to activate unintentionally in broader assistant contexts. While the README is not itself executable code, broad invocation language increases the chance of accidental routing or triggering if the platform uses natural-language matching for skill selection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The command table defines very generic trigger phrases such as "Quiz me," "Give me homework," and "How do you say [phrase]?" that could plausibly appear in ordinary conversation. In systems that route or activate skills from natural-language matches, this can cause unintended invocation, context switching, or execution of the skill when the user did not explicitly mean to call it.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The rule to "Stay in the target language" is presented as a hard instruction without explicit user opt-in, accessibility exceptions, or a clear escape hatch. This can force an unwanted language/locale behavior, reduce user control, and create usability or safety issues for confused users who need clarification in their preferred language.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal