ClawHub

edu-homework-grader

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local homework-grading helper, but its knowledge-bundle README contains unrelated medical and industry dataset references that should be cleaned up.

Reasonable to install for local homework grading, but treat it as draft educational feedback and have a teacher review official grades. Because homework may contain student personal information, only use it in an approved assistant/provider environment. Watch future releases for any added medical, drug, LOINC, or industry datasets unless the publisher removes or explains that out-of-scope README language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README advertises medical, drug, LOINC, and industry reference datasets that are unrelated to a K-12 homework grading skill. This indicates scope confusion or latent multi-purpose behavior, which can enable unauthorized domain expansion, unsafe future data additions, and reviewer/operator misunderstanding about what the skill is intended to process.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
Documentation that suggests support for unrelated domains beyond the manifest weakens trust boundaries and can cause the skill to be repurposed or extended in ways users and reviewers do not expect. In this educational context, mention of healthcare and industry datasets is especially suspicious because it has no legitimate connection to grading student homework.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal