botlearn-certify

Security checks across malware telemetry and agentic risk

Overview

This certificate skill is mostly coherent, but it needs Review because broad triggers and a reported automatic dependency-install path can lead to local assessment access, file writes, and installed-skill changes without a clear consent gate.

Install only if you are comfortable with the skill reading BotLearn assessment results, running a fresh assessment, and saving certificate files locally. Before use, confirm any dependency installation, prefer explicit BotLearn-specific prompts, and review generated files before sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (18)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 84% confidence
Finding: The skill is presented as a certificate generator, but it also instructs the agent to verify/install dependencies and inspect local assessment history and result indexes. That expands its effective behavior into environment discovery and local data access, which is security-relevant because users may not expect a certificate request to trigger workspace inspection or setup actions.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The first-run setup directs execution of a shell script, which is a materially more dangerous action than generating a certificate. Any shell execution introduces command-execution risk, and in this context it is not necessary to satisfy a simple certificate-generation request from untrusted skill content alone.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The flow explicitly instructs execution of a local shell script (`bash scripts/parse-results.sh {REPORT_PATH}`) even though the skill’s advertised purpose is certificate generation. Invoking shell expands the skill’s capability surface and creates risk if `REPORT_PATH` or the script content can be influenced, leading to command execution, unsafe file access, or unintended side effects. In this context, the capability is somewhat related to report processing, but using shell for parsing makes it more dangerous than necessary.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script is presented as a verification/check helper, but it performs an installation side effect when the dependency is missing. That creates an unexpected state-changing action and can cause unreviewed code to be fetched and installed from an external source, which is risky in automation or agent-driven contexts.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: A certificate-generation skill should not need to install software as part of a dependency check, so this expands capability beyond its stated purpose. In an agent environment, this increases danger because a routine certificate flow could trigger package installation and indirectly execute newly obtained code.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list is broad and includes common terms like "certificate" and several generic multilingual phrases that can plausibly appear in ordinary conversation, increasing the chance of unintended activation. In this skill, accidental invocation is more concerning because activation can cascade into autonomous assessment execution and file generation, causing unrequested actions and potential disclosure or modification of local assessment artifacts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README describes a workflow that autonomously invokes another assessment skill, reads historical exam records, and writes certificate files, but it does not clearly warn users that these actions access prior data and create new artifacts on disk. That omission weakens informed consent and makes accidental or surprising data access more likely, especially when combined with broad triggers and autonomous execution.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger set and activation rules are broad enough that the skill could activate on generic mentions of certificates, graduation, or related keywords, including ambiguous multilingual inputs. Unintended activation increases the chance of surprising file access, dependency checks, or assessment invocation in contexts where the user did not actually request those actions.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: The template directs the system to automatically infer and use the user's native language, which can require profiling or assumptions about a sensitive personal attribute without explicit consent. In a certification workflow, this can lead to privacy issues, misclassification, and user-facing content generated in an unintended language, especially when language preference was never provided.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The repeated localization instruction reinforces automatic language adaptation rather than user choice, making the behavior systemic rather than incidental. In this skill context, certificates are formal artifacts, so generating them in an inferred language may expose profiling behavior and produce incorrect or exclusionary output that the user did not request.

Natural-Language Policy Violations

Medium

Confidence: 89% confidence
Finding: The template instructs the system to infer and use the user's native language automatically, which can require sensitive-attribute inference without an explicit user choice. This can create privacy and fairness issues, and may surprise users by producing content in a language they did not request or by incorrectly profiling them.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The localization note repeats a requirement to adapt all visible text to the user's native language at runtime, reinforcing automatic language inference as a mandatory behavior. In a certification workflow, this broadens exposure because every generated certificate would embed that inferred preference, increasing privacy risk and the chance of incorrect or unwanted personalization.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This flow directs the agent to locate, read, parse, and summarize historical assessment reports, which may contain sensitive educational performance data, without requiring explicit user notice or consent at the point of access. In a certification workflow, using prior results may be functionally relevant, but silent access to stored history increases privacy risk and can expose more user data than they reasonably expect from a certificate request.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill directs shell execution without any user-facing disclosure that a command will be run on the host environment. Even if intended only for parsing, undisclosed command execution reduces transparency and can hide risky behaviors such as reading arbitrary files or executing modified local scripts, especially in an agent setting where users may not expect system-level actions for certificate generation.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The flow explicitly writes certificate artifacts to predictable disk locations and, on write failure, may emit the full certificate content to stdout instead. This is a real security/privacy issue because users are not warned that files will be created or where data will be stored, which can expose personal assessment results or identifiers in shared environments, logs, or retained workspaces.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script invokes clawhub install botlearn-assessment immediately after detecting the CLI, without any confirmation prompt or prior consent gate. This is dangerous because it allows automatic package installation in response to a missing dependency, which can surprise users and create supply-chain or unwanted-execution risk.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 78% confidence
Finding: The trigger term '认证' is very short and generic, so it can match many unrelated conversations about certification. In this skill, accidental activation is more concerning because activation may lead to local history inspection or follow-on assessment workflow rather than a harmless text response.

Overly Broad Trigger

Low

Category: Trigger Abuse
Confidence: 78% confidence
Finding: The trigger term '证书' is broad and likely to match unrelated requests for certificates of many kinds. Because this skill can proceed into reading assessment data and generating artifacts, a generic trigger creates unnecessary risk of unintended invocation and data handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal