ClawHub
Back to skill

Security audit

中小学教师智能备课助手

Security checks across malware telemetry and agentic risk

Overview

This lesson-prep skill has a legitimate purpose, but it stores education-platform passwords in plaintext and makes broad persistent or file-system changes that users should review first.

Review before installing. Use it only in a workspace where automatic file creation and downloads are acceptable, do not enter real platform passwords unless you accept plaintext local JSON storage, remove or narrow global activation aliases, and verify cleanup cannot delete unrelated .py or .js files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The document expands the skill's behavior to automatically invoke an additional diagram-generation skill and MCP service that are outside the core lesson-material generation scope described in the metadata. This kind of undocumented cross-skill delegation increases the effective privilege and attack surface of the skill, because a user invoking a teaching assistant may unknowingly trigger external tooling with its own capabilities and risks.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file documents reliance on user-level MCP configuration and launching an external server process via `npx`, which introduces a supply-chain and local-environment trust boundary not justified by the teaching use case alone. If abused, this behavior could cause the agent to execute unreviewed external code or use attacker-influenced MCP configuration, leading to unintended code execution, data access, or exfiltration through the external tool.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guidance explicitly suggests alternative capture methods such as clipping and full-page screenshots when direct download is restricted, which can facilitate circumvention of platform access controls or payment restrictions. In a lesson-preparation skill, this is not necessary for core functionality and creates legal, policy, and misuse risk around unauthorized copying of educational content.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill collects and persists third-party education-platform usernames and passwords even though this file does not use them to perform authenticated downloads or any clearly necessary workflow. Storing unrelated credentials expands the attack surface: anyone with access to the workspace can recover them, and future code changes could exfiltrate or misuse those accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installation guide states that the skill will automatically add activation commands to the user's global memory file (`~/.workbuddy/memory/CLAW.md`), creating a persistent behavior change outside the skill directory. This is dangerous because it modifies global assistant behavior without an explicit consent or review step, which can surprise users, complicate rollback, and create a stealthy persistence mechanism for future invocation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Several activation phrases are generic everyday terms such as `备课`, `做课件`, `写教案`, `教学助手`, and `teaching`, which can overlap with normal conversation and unrelated requests. In a voice- or text-triggered assistant environment, this ambiguity can cause unintended skill activation and execution in contexts where the user did not mean to invoke this skill.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The natural-language examples are broad educational requests rather than tightly bounded invocation syntax, which can blur the line between ordinary assistant use and explicit skill activation. If the platform matches these patterns loosely, users may trigger the skill unintentionally when they only wanted general advice or drafting help.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README advertises very broad natural-language triggers such as '帮我设计一节…' and '制作一个…PPT', which can overlap with ordinary conversation and cause unintended activation of the skill. In this skill's context, accidental activation is more concerning because the skill is also documented as performing network access and creating files automatically, so a mistaken trigger could lead to unexpected external requests or workspace changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README says the skill will automatically generate materials and save them under '{workspace}/MyTeacher/' without a clear caution that running the skill modifies the workspace. While the stated path is scoped, unexpected file creation can still overwrite user expectations, consume storage, or create clutter if activation happens unintentionally.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README says the skill will automatically generate materials and save them under '{workspace}/MyTeacher/' without a clear caution that running the skill modifies the workspace. While the stated path is scoped, unexpected file creation can still overwrite user expectations, consume storage, or create clutter if activation happens unintentionally.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad activation phrases such as generic teaching and lesson-planning terms increase the chance that normal classroom-assistance requests will trigger the full workflow unintentionally. In this skill, accidental invocation is more dangerous because activation can lead to network downloads, local file creation, and use of stored external accounts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Allowing direct topic input like a lesson title to start the skill without clear boundaries creates ambiguous invocation and can launch the full automation pipeline from ordinary user text. Because this pipeline includes downloads, document generation, and cleanup actions, unintended activation can have meaningful side effects.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill mandates downloading external resources and using configured site accounts, but does not prominently warn users that network access and account-backed actions will occur. This creates a consent and privacy problem, especially in a teaching context where users may expect only local content generation rather than authenticated scraping or downloads.

Missing User Warnings

High
Confidence
92% confidence
Finding
The instruction to delete all generated .py and .js script files after generation introduces destructive behavior without explicit user warning or scope controls. Even if intended as cleanup, such deletion can remove artifacts needed for auditing, troubleshooting, or user retention, and may delete unintended files if implemented broadly.

Missing User Warnings

High
Confidence
92% confidence
Finding
Requiring deletion of generated scripts/process files in the output specification repeats the same unsafe cleanup behavior and normalizes irreversible file removal as part of standard execution. In combination with file-system access, this increases the chance of accidental data loss and reduces transparency into what the skill actually did.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document recommends saving content via screenshots and web clipping but omits any warning about copyright, licensing, platform terms, or the need for user authorization. That omission normalizes potentially infringing copying behavior and could lead users to redistribute or reuse protected materials improperly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs the system to automatically generate files and save them to a fixed local path on disk without indicating any user confirmation, consent, or safety checks. In an agent skill that may trigger tool use, silent filesystem writes can cause unintended data creation, overwrite collisions, privacy issues, or abuse of local resources, especially because the path is hard-coded and the behavior is described as automatic.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Passwords are entered via plain input() and stored unencrypted in a local JSON file, with no explicit warning at the moment of entry about plaintext storage. This makes credential disclosure likely through shoulder surfing, terminal history/logging, shared workspaces, backups, or accidental file exposure; in the context of a teaching assistant skill, requesting multiple third-party passwords is more suspicious because the core document-generation functionality does not require them here.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.