ClawHub

quiz-maker

Security checks across malware telemetry and agentic risk

Overview

This quiz skill matches its general purpose, but it sends document text to a hardcoded cloud host and exposes quiz/student records through weakly protected web/admin flows.

Install only if you trust the operator of the hardcoded 118.196.5.240 service and are comfortable sending document contents and quiz data there. Do not use it with confidential documents or real student records until TLS verification, configurable endpoints, admin authentication, privacy notices, and safer install/deploy behavior are fixed; use a limited ARK key and avoid running the deploy/start tunnel scripts on sensitive hosts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (25)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import qrcode
except ImportError:
    print("正在安装 qrcode...", file=sys.stderr)
    subprocess.run([sys.executable, "-m", "pip", "install", "qrcode", "pillow", "-q"])
    import qrcode

if len(sys.argv) < 2:
Confidence
93% confidence
Finding
subprocess.run([sys.executable, "-m", "pip", "install", "qrcode", "pillow", "-q"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands and handles environment configuration, but the manifest does not declare these capabilities. This reduces transparency and prevents proper permission gating, making it easier for users to trigger file access, command execution, and local configuration changes without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior is much narrower than the detected capabilities: the skill appears to send document contents to an external AI service, expose a public endpoint, and handle quiz/participant records and analytics. This mismatch materially affects privacy and security expectations because users may provide sensitive documents or participant data without realizing it will be stored, processed externally, or exposed via public access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill asks the user for an ARK API key and persists it in a local .env file, which is credential handling beyond the narrow advertised function. Storing secrets in a workspace path increases risk of accidental disclosure through filesystem access, backups, logs, or other local tools, especially when the storage practice is not prominently disclosed.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code imports subprocess execution capability and later uses it as a parser fallback, which expands the attack surface beyond simple document parsing. Invoking shell utilities on attacker-controlled file paths can lead to command injection or unsafe execution behavior if path handling or quoting assumptions fail, and it also enables behavior not necessary for quiz generation.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This page exposes a client-side delete action for quizzes via `fetch(`/api/quiz/${quizId}`, { method: 'DELETE' })` with no visible authentication, authorization, or CSRF protection in the flow. If the backend relies only on possession of the quiz ID or this page is reachable by untrusted users, an attacker could delete quizzes and associated results, causing integrity loss and denial of service for teachers and participants.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The page collects personally identifiable information (name and class/unit) before allowing the user to proceed, but the skill’s declared purpose is only quiz generation and answering via QR code. This creates unnecessary data collection and expands the skill into user identification/tracking without clear disclosure, consent language, or an evident need tied to the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The client submits the user’s identity fields together with answer data to the server, indicating result recording and association of quiz performance with an identifiable person. That capability goes beyond the described 'quiz-maker' purpose and creates privacy and surveillance risk if operators store, reuse, or expose these records.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Auto-installing packages is not necessary for the stated QR generation function and gives the skill extra capability to modify the host environment and potentially access the network. In an agent-skill context, unnecessary installation behavior is more dangerous because skills may run with user or platform privileges on systems that expect limited, predictable actions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The script presents itself as a local QR generator, but it may perform package installation via pip, which is not purely local and may trigger network access and code execution from external packages. This mismatch is security-relevant because it can mislead reviewers and operators about the script's actual capabilities and trust requirements.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill sends the full user-supplied document content to an external cloud service at a hard-coded remote host for processing, but the description does not clearly disclose that data leaves the local environment. Because this tool is designed to process documents, the transmitted content may include sensitive internal material, making the hidden exfiltration risk materially dangerous in context.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The request disables TLS certificate validation via rejectUnauthorized: false, which allows man-in-the-middle interception or modification of uploaded document content and returned quiz/QR data. In a document-processing tool that transmits potentially sensitive user material, this turns the remote upload path into an easily compromisable channel.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes additional data-management capabilities beyond simple quiz generation, including quiz enumeration, statistics access, and deletion. In practice this expands the attack surface and enables unauthorized discovery and management of quizzes, which can leak metadata and facilitate abuse even if the manifest only describes quiz creation and QR delivery.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The DELETE /api/quiz/:id endpoint allows anyone who can reach the service to delete quizzes and associated submissions without any authentication or ownership verification. This creates an obvious integrity and availability risk: an attacker can destroy quizzes, erase participant records, and disrupt service with a single request.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The stats endpoint returns participant-level rankings, names, class names, scores, and per-question answer accuracy without any access control. That exposes personal and educational performance data to unauthorized users, creating privacy risk and enabling profiling of participants beyond the stated quiz-generation purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script deliberately opens the locally hosted quiz service to the public internet via a Cloudflare tunnel and prints public URLs for quiz, admin, and root pages. In the context of a document-processing tool, exposing an unauthenticated local service broadens access significantly and can enable unauthorized use of the quiz system or abuse of any weaknesses in server.js/admin endpoints.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not clearly warn users that document contents are sent to a cloud API for quiz generation. In this context, users may upload confidential documents assuming local-only processing, creating a meaningful risk of unauthorized disclosure to a third-party service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill omits an up-front warning that API credentials will be stored locally in a .env file and that service restart is needed. Users may unknowingly allow persistence of sensitive credentials on disk, which can outlive the session and be accessible to other local processes or users.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads remote content from deb.nodesource.com and immediately executes it with bash, which creates a supply-chain execution risk. If the remote script, TLS trust chain, or upstream distribution channel is compromised, arbitrary code will run as root during deployment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The UI invites users to upload teaching documents for AI question generation, but it does not clearly disclose that document contents will be transmitted to the server for processing. This creates a real privacy and informed-consent issue, especially because uploaded files may contain proprietary teaching material, student data, or internal notes, and users may reasonably assume more limited local handling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The page presents an admin/statistics URL and QR code alongside the participant link without warning that possession of that link may grant access to results data. In this skill context, the admin link is meant for teachers and could expose participant performance or other sensitive educational records if shared accidentally via screenshot, forwarding, or QR scan.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The UI asks for personal information but provides no visible warning, privacy disclosure, purpose statement, or indication that the data will be sent to the backend. Users may reasonably believe they are only taking a quiz, not creating an identifiable assessment record, which undermines informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script installs packages with only a generic status message and no confirmation, policy check, or warning that the environment will be modified. Silent or near-silent dependency installation is dangerous because users may not realize they are authorizing network retrieval and execution of third-party code.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user-provided document content to a third-party AI API, but the code shows no consent flow, notice, data classification check, or minimization beyond simple truncation. In a quiz-generation skill, uploaded materials may contain proprietary course content, internal documents, or personal data, so silent external transmission creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code uploads user-provided content, title, and description to a remote service without a clear user-facing warning or consent flow. Given the skill’s purpose of ingesting arbitrary document content, this can expose confidential files or proprietary text to an external processor unexpectedly.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal