ClawHub
Back to skill

Security audit

Japanese Conversation Scorer

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Japanese conversation grading tool, but it packages identifiable student records and lacks clear privacy controls for educational data.

Install only if you are authorized to handle student educational records in this environment. Before use, remove bundled learner files or replace them with anonymized examples, avoid uploading unnecessary identifiers, and define where audio, transcripts, scores, Excel exports, and learner history will be stored and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad phrases such as student self-test, single-person conversation practice, and partner dialogue practice that are common in ordinary educational chat. This can cause the skill to activate unexpectedly and process audio or generate grading-style outputs when the user did not explicitly intend to invoke this workflow, increasing the chance of inappropriate data handling in a student context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports batch grading, class summaries, student names/IDs, and Excel export, but it does not clearly warn users that identifiable student performance data will be processed, stored, and exported. In an educational setting this creates privacy and compliance risk because teachers may upload or export personally identifiable academic records without informed notice or data-minimization safeguards.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.