ClawHub

高考辅助助手

Security checks across malware telemetry and agentic risk

Overview

This is mainly an exam-advice skill, but it needs Review because it sends students toward private WeChat counseling and gives gender-based major guidance.

Review carefully before installing or recommending this to students. The local code appears low-risk, but users should not share IDs, exam records, family details, payment information, or health and mental-health details through the advertised WeChat channel, and the gender-based major advice should be treated as biased rather than authoritative. Use official admissions sources, schools, guardians, and licensed professionals for final decisions and mental-health concerns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill promotes moving users off-platform to a public WeChat account for one-to-one guidance, which creates an unmonitored channel for data collection, social engineering, payment solicitation, or unsafe advice outside platform controls. In a context involving students, exam stress, and potentially sensitive personal details like scores, health status, and family background, this increases privacy and safeguarding risk.

Description-Behavior Mismatch

Low
Confidence
94% confidence
Finding
The file includes off-platform promotion for a specific WeChat public account and advertises 1-to-1 services unrelated to the core reference guidance content. This can be abused to redirect minors and parents to unvetted private channels, where safety, privacy, payment, or scam risks are harder to control and audit.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The document embeds promotional contact information for an external WeChat account and steers vulnerable students toward off-platform one-on-one services. In a mental-health-related gaokao guidance file, this creates a trust-transfer risk: users may disclose sensitive personal or psychological information to an unvetted external contact outside platform safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Advertising one-to-one guidance via WeChat without any privacy, retention, or data-sharing warning encourages users to disclose sensitive educational, personal, and possibly health-related information in a third-party channel with unclear protections. Because the audience may include minors and anxious students, the absence of privacy disclosure materially increases the chance of oversharing and downstream misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file gives specific anxiety, insomnia, and crisis-oriented mental-health guidance without a clear disclaimer that it is informational only and not a substitute for medical, psychological, or emergency care. Because the audience includes stressed students, some may rely on these recommendations instead of seeking timely professional help, especially for severe anxiety, self-harm thoughts, or serious sleep disruption.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The document explicitly assigns different majors to 'boys' and 'girls' as default guidance, without asking for user preference or providing evidence-based, individualized criteria. In a high-stakes education counseling skill, this can steer users toward or away from academic paths based on gender stereotypes, creating discriminatory guidance and potentially causing material harm to applicants' choices.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The decision framework reiterates gender-based defaults such as recommending engineering more broadly for males and 'stable, safe' professions for females, embedding bias into the core selection logic. Because this section functions as prescriptive decision support, it amplifies the risk that users will receive discriminatory advice framed as normative best practice.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal