ClawHub

botlearn-assessment

Security checks across malware telemetry and agentic risk

Overview

This is a coherent self-assessment skill that openly runs local reporting steps and saves assessment reports, with no evidence of hidden data theft or destructive behavior.

Install only if you want an autonomous benchmarking skill that may use available tools, run bundled local Node.js report renderers, and keep detailed report/history files under results/. Avoid using sensitive prompts or proprietary data in assessments, and be cautious opening generated HTML/SVG reports if the underlying JSON was manually edited or came from an untrusted source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The flow explicitly writes a detailed assessment report to `results/exam-{sessionId}-full.md` and maintains a history index, creating persistent local artifacts from a user interaction. In a self-assessment skill, this is risky because it stores session metadata and performance information without any explicit consent, retention policy, or indication that disk state will be modified.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file claims to belong to the 'botlearn-assessment' skill, but the user-facing report template is branded and structured as 'OpenClaw Agent Capability Probe Report v2' with a different assessment taxonomy. This inconsistency can mislead users, downstream automation, or evaluators about what system produced the output and what scoring model is being applied, creating integrity and trust issues rather than direct code-execution risk.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file content is fundamentally misaligned with the declared skill purpose: instead of a BotLearn self-assessment, it provides a full design for an automated news briefing system with scheduling, web search, synthesis, and file output. This kind of scope drift is dangerous because it can cause an agent to invoke unrelated capabilities and perform external actions the user did not request, increasing the chance of unauthorized data access, persistence, or operational misuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documented architecture includes cron scheduling, repeated web searches, and writing files to disk, none of which are justified by a self-assessment skill. In this context, these capabilities materially increase risk because they enable autonomous external actions and local state changes under misleading skill branding, which could surprise users or be repurposed for persistence and data collection.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The strategy directs the agent to execute a local Node script and write multiple files under results/ as part of a self-assessment flow, but these side effects are not essential to answering assessment questions. Unnecessary code execution and filesystem writes expand the attack surface and can cause unauthorized state changes or be abused if paths, arguments, or supporting files are manipulated.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The tool dependency scan instructs the agent to search for available tools or installed skills to decide whether to skip questions. For a self-assessment skill, enumerating local capabilities is broader than necessary and may expose environmental details that can later be used for targeting or prompt adaptation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger set includes generic terms such as 'exam', 'assessment', 'evaluate', and 'test yourself', which are common in ordinary conversation and can cause the skill to activate outside the user's intended context. Because this skill performs autonomous self-testing and writes reports/history files, accidental invocation can lead to unnecessary execution, misleading outputs, and unintended local file creation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that each assessment generates persistent files under results/ and maintains history in INDEX.md, but it does not clearly warn users that these artifacts are stored locally across runs. In a self-assessment skill, those files may contain prompts, answers, scores, and trend history, so users may unknowingly leave behind sensitive operational or evaluative data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes generic English terms such as 'exam', 'assessment', and 'evaluate' that are common in ordinary conversation. This can cause unintended activation of the skill, which is more concerning here because the skill then performs autonomous exam flow and may generate persistent report files without a clear opt-in.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Additional phrases like 'reasoning test' and similar generic capability labels overlap with normal user requests and benchmarking discussions. In this skill, accidental invocation is amplified by instructions to proceed autonomously and produce outputs immediately, increasing the chance of unintended actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Chinese triggers include short, broad assessment phrases like '评测', '能力评估', and '自我评测' that can appear in many benign requests. Because the skill is designed to run a multi-step autonomous workflow, broad multilingual triggers materially raise the risk of unintended execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly directs creation of multiple files under results/ and says reports must always be generated, but it does not warn the user about file creation, retention, or visibility. This creates a persistence and privacy risk, especially if prompts, answers, or historical results contain sensitive information and are written to disk automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The schema explicitly captures full exam-paper detail, including complete question text, self-generated answers, and scoring detail, which can preserve sensitive prompts, outputs, and derived content far beyond what is necessary for routine reporting. In a self-assessment skill, this increases the chance of storing proprietary inputs, user data echoed in answers, or sensitive model output in logs and reports without any minimization or warning.

Missing User Warnings

High
Confidence
98% confidence
Finding
The schema requires a `chain_of_thought` object with evidence, reasoning, and key_factor for each criterion, which directly encourages storage and exposure of internal reasoning traces. Persisting such detailed reasoning can leak sensitive data, reveal internal decision processes, and create prompt-injection or policy-bypass risks if downstream systems surface or reuse that content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The flow explicitly instructs the agent to save an assessment report to a results file containing session identifiers, timestamps, scores, and diagnostic commentary, but it does not require notifying the user or obtaining consent for persistent storage. In a self-assessment skill, this creates a privacy and transparency issue because users may reasonably expect an interactive evaluation, not retention of their performance history on disk.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Appending assessment metadata to a shared `results/INDEX.md` introduces an additional undisclosed persistent write path beyond the per-session report. Even if the indexed data is limited, it can still expose usage history, timestamps, dimension tested, and performance summaries, which increases discoverability of user activity and compounds the privacy risk.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to provide chain-of-thought justification for scoring, which can expose sensitive internal reasoning and create policy noncompliance. Because this is part of a self-evaluation workflow, it systematizes repeated disclosure of hidden reasoning rather than an isolated formatting issue.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The prescribed scoring output format includes a user-visible 'Justification' field and verification language tied to chain-of-thought, encouraging direct exposure of detailed internal reasoning. This increases the likelihood of systematic reasoning leakage to end users across every scored question.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The report-saving step causes a filesystem write as part of the normal exam flow, but the user-facing exam announcement does not warn that local files will be created. Hidden side effects violate user expectations and can expose sensitive or private assessment data to later readers of the workspace.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Appending to `results/INDEX.md` modifies an existing file and accumulates historical session data, but the flow does not disclose that an index will be updated. This can silently alter repository state and create an audit trail of user activity without informed consent.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The document explicitly requires Chain-of-Thought justifications for every score, including in self-test mode. Requiring internal reasoning disclosure is risky because it can encourage exposure of sensitive hidden deliberation, policy reasoning, or prompt-derived internal traces when a concise evidence-based rationale would suffice.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow explicitly says self-evaluation auto-starts with no user confirmation, which can trigger long-running autonomous actions unexpectedly. In an agent setting, that can consume tokens, tools, time, and potentially access prior history or other connected resources without clear user intent, making it a meaningful safety and consent issue.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The markdown instructs writing output files to the local filesystem without any explicit warning, consent flow, or safeguard around modifying local state. While file output alone is not inherently malicious, in this mislabeled skill context it is more dangerous because users expecting a self-test may not anticipate disk writes or the creation of persistent artifacts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script inserts the user-controlled session value directly into SVG text content without XML escaping. If the SVG is later opened in a browser, embedded in a web page, or processed by an SVG-capable renderer, crafted input containing characters like <, >, &, or quote-breaking payloads can turn into active markup/script and lead to SVG/HTML injection or stored XSS in downstream consumers.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The intent logic allows immediate auto-start based on generic terms such as 'full' or 'complete' and then explicitly says not to wait for confirmation. Weak activation boundaries increase the risk that normal conversation triggers the workflow unintentionally, which is more concerning here because later steps include autonomous actions and file modifications.

VirusTotal

1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.

View on VirusTotal