ClawHub

EdStem

Security checks across malware telemetry and agentic risk

Overview

The skill does fetch EdStem discussions as advertised, but it ships a hardcoded bearer token and encourages insecure handling of sensitive course data.

Review before installing. Remove and revoke the bundled token, do not paste your own bearer token into tracked source files, and only run the fetch scripts for courses you are authorized to access. Store outputs in a private directory, avoid unattended cron syncing unless approved, and delete exported course discussions when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, performs network access to EdStem, and writes fetched content to local files, yet it declares no permissions or safety boundaries. In an agent setting, this creates a transparency and consent gap: the agent may execute data-fetching and persistence actions the user did not explicitly authorize, including storing potentially sensitive course discussions on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior goes beyond simple thread fetching by describing use of a hardcoded bearer token, access to account-level course information, and persistent local storage of fetched discussions. Hardcoded credentials are especially dangerous because they can expose an EdStem account to unauthorized API access, while local export of staff/student discussions can leak educational records or internal course communications.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a live EdStem bearer token directly in source code, allowing anyone who can read the file to authenticate as that account and access whatever courses and data the token permits. In this skill context, the token enables retrieval of student/staff discussion content from a third-party service, which creates both unauthorized access risk and privacy exposure well beyond a normal local automation script.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hard-codes a live EdStem bearer token directly in source, which exposes reusable credentials to anyone who can read the file, logs, backups, or repository history. Because this skill is specifically designed to fetch course discussion content, the token can likely be used to access private course threads and associated educational data far beyond the immediate execution context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The migration notes explicitly tell users that the ED_TOKEN remains in `scripts/fetch-edstem.py` and to update it there, which normalizes storing a live authentication credential directly in source code. This creates a real secret-handling weakness because tokens embedded in scripts are prone to accidental commits, leakage through backups or logs, and reuse across environments; in the context of a skill that accesses course discussion data, compromise could expose private student/staff content across EdStem courses.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The documentation explicitly states that the skill includes a bearer token by default and instructs users to replace it directly in source code. Shipping credentials in code is dangerous because tokens can be leaked through source control, package publication, logs, backups, or accidental sharing, enabling unauthorized access to EdStem data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes fetching, archiving, and analyzing EdStem threads, which commonly contain student questions, staff responses, names, and other education records, but it provides no privacy or data-handling guidance. In the context of an agent skill that integrates with LLM workflows, this omission increases the risk of over-collection, improper retention, and accidental disclosure of sensitive forum content.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions tell users to extract a live Bearer token from browser traffic and hardcode it into the script, but do not warn that this is a sensitive credential or explain secure storage practices. This can easily lead to token leakage through source control, shared files, logs, screenshots, or local compromise, enabling unauthorized access to EdStem account and course data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cron example encourages continuous automated syncing of discussion forums without warning that this creates ongoing collection and local retention of potentially sensitive student and staff communications. In an automation/agent setting, repeated unattended syncs materially increase privacy, retention, and secondary-use risks compared with a one-time manual fetch.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough that ordinary requests about class forums or course discussions could activate the skill without the user intending a live sync from EdStem. In a context involving educational discussions, that increases the chance of unexpected network access and retrieval of sensitive student or staff content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The instructions explain how to fetch and format threads but do not warn that the retrieved content may include sensitive student questions, staff answers, course operations details, or other records that will be written to local markdown/JSON files. In this skill's context, persistence materially increases exposure because downloaded discussions may remain readable by other local users, backups, or indexing tools.

Missing User Warnings

High
Confidence
99% confidence
Finding
The authentication guidance tells users to extract a bearer token from browser traffic and paste it into the script, effectively encouraging credential hardcoding and insecure secret handling. This can expose reusable account credentials through source control, shell history, local files, logs, or accidental sharing, enabling unauthorized access to EdStem course and user data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code silently uses a hardcoded API credential to make authenticated requests to EdStem, so running the skill causes remote data access under an embedded account without informed user consent. Because this skill is specifically designed to fetch course discussions, the absence of a warning or authentication prompt makes unauthorized collection of potentially sensitive educational data more dangerous, not less.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes full thread data and rendered markdown copies of discussions to local disk, including student and staff names, roles, and post content, without any warning about persistence or data sensitivity. In an education-forum syncing skill, this increases the chance of accidental retention, leakage, or secondary sharing of FERPA-like or otherwise confidential course discussion data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script makes authenticated API calls and silently saves retrieved thread data and per-thread raw JSON to local disk without any consent prompt, sensitivity warning, or access controls. In the context of EdStem, this can capture private student/staff discussions, potentially including educational records or other sensitive course information, increasing the risk of unauthorized retention and secondary disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal