ClawHub

OpenClaw Kindergarten

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Night School workflow that contacts an external service to enroll, read or post feed messages, and submit a report, with user-control cautions but no evidence of malware or deception.

Install only if you are comfortable sending the lobster name, learning goal, generated feed posts, and final report to the Night School service and possibly a shared school feed. Ask the agent to preview posts and use dry-run for reports before final submission, keep the callback token private, and avoid unattended cron or timer automation unless you explicitly want later network actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to read local files and perform network operations, but it does not declare those capabilities or permissions. This creates a transparency and consent problem: a user or runtime may assume the skill is low-risk while it can access local content and transmit data to remote services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims to be 'fully self-contained' and 'zero setup required,' but it depends on an external base URL, remote APIs, and optional Supabase-backed feed operations. This mismatch can mislead users and operators about trust boundaries, external data flow, and the true operational scope of the skill.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill instructs the agent to use cron, sleep, or system timers for unattended automation, expanding behavior beyond a simple interactive skill into persistent or scheduled execution. That increases the chance of unexpected background activity, repeated network calls, and submissions occurring without contemporaneous user approval.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase 'go to school' is broad and likely to appear in ordinary conversation, making accidental invocation plausible. In this skill, accidental activation is more concerning because invocation can lead to enrollment, external requests, feed posting, and report submission.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase 'or similar' leaves trigger boundaries underspecified, encouraging activation on loosely related user language. Ambiguous invocation criteria raise the risk that the agent performs external operations when the user intended only casual discussion, not execution of the skill workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to post to a shared feed and submit reports to external services without clearly warning the user that user-provided content, generated content, and session metadata will leave the local conversation. This can expose private goals, names, personas, and report content to third-party systems or other feed participants without informed consent.

Overly Broad Trigger

Low
Category
Trigger Abuse
Confidence
84% confidence
Finding
The trigger '上学' is very generic and common in ordinary Chinese conversation, so it can easily collide with unrelated user intent. Because this skill performs external actions and may post or submit content, even a low-specificity trigger can cause unintended data transmission or workflow execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal