ClawHub

oh-my-teacher

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate study-assistant skill that may read course materials and save local study progress, with no hidden exfiltration or destructive behavior found.

Install if you want a course-review assistant that can organize materials and track progress. Before using it in an agent shell or notebook with private files, confirm which files or knowledge bases it may read and whether you want .oh-my-teacher snapshots, SRS state, notes, or memory writes created. Disable or avoid implicit invocation if you only want the skill to run when explicitly selected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The adapter materially expands the skill from a course-review assistant into a general runtime-adaptation agent by directing it to inspect environment capabilities and choose behaviors based on available tools. That broadening increases the chance of unnecessary access to files, shell, and persistence surfaces unrelated to the user’s educational task, weakening least-privilege boundaries.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The default prompt explicitly instructs the agent to probe the current file, shell, sandbox, and persistence capabilities before doing the teaching task. For an exam-review assistant, this is unnecessary reconnaissance that can expose sensitive local context and establish a basis for broader tool use than the skill’s stated purpose requires.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
These instructions normalize shell commands, screenshots, local images, and file writes as generally available options, even though the core skill is academic tutoring. In context, that makes the skill more dangerous because users invoking a study assistant are less likely to expect system-level actions, increasing the risk of overcollection or misuse of local resources.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The adapter instructions materially broaden a study-assistant skill into general IDE-style behavior by directing it to probe shell, browser/search, diagnostics, persistence, and project commands before acting. In a loosely controlled host, this can cause the skill to access or manipulate unrelated local/project resources beyond what a user expects from an exam-review assistant, increasing the risk of unintended data exposure or impactful actions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The adapter explicitly instructs the agent to probe workspace, task, memory, retrieval, file, and shell capabilities before acting, which materially exceeds the stated educational-review purpose of the skill. That broad discovery behavior can lead to unnecessary access to sensitive host data or higher-risk tools, especially when the skill is implicitly invokable and the host capabilities are unknown.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Shell capability probing is not justified by the skill's described function as a final-exam review assistant, and testing for shell access expands the attack surface to command execution and host reconnaissance. In this context, even probing for shell can normalize escalation into capabilities unrelated to tutoring, increasing the chance of data exposure or unsafe execution paths.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README explicitly allows activation by broad natural-language descriptions, which can cause this study skill to trigger on loosely related requests and capture conversations the user did not intend to route into the skill. In an educational assistant that can ingest materials, grade work, and maintain study state, overbroad activation increases the risk of context confusion, unintended data handling, and inappropriate responses during sensitive situations such as live assessments.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The invocation phrases are extremely broad and match ordinary study-related language, which can cause the skill to activate in many benign educational conversations where the user did not explicitly request this workflow. Over-broad auto-selection increases the chance that the agent adopts file, memory, planning, or persistent snapshot behaviors unexpectedly, creating consent, privacy, and context-hijacking risks.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
Forcing Chinese as the default output language without user opt-in can override user expectations and reduce the user's ability to understand safety notices, grading criteria, privacy implications, or confirmation prompts. In a multi-user or multilingual environment, this can cause consent and usability failures, especially before file operations or persistence-related actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation without defining narrow trigger constraints or exclusion conditions, which can cause the skill to activate in broader contexts than intended. Because this skill's prompt instructs the runtime to probe files, shell, MCP, project context, and persistence, unintended activation could lead to unnecessary capability discovery or access to sensitive workspace context during ordinary conversations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Implicit invocation is enabled without trigger constraints, allowing this broadened, tool-aware skill to activate in situations where the user may not have intended a system-capable study agent to run. Because the skill already includes capability probing and adaptable tool use, unconstrained auto-invocation increases the risk of unexpected file or environment interaction.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without defining narrow trigger conditions or exclusions, which can cause the study assistant to activate in unrelated conversations and process sensitive educational content unexpectedly. In an agent-routing environment, overly broad activation increases the chance of unintended prompt injection exposure, privacy leakage from uploaded course materials, or confusing cross-skill behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill enables implicit invocation without constraining when it should trigger, which can cause the agent to activate in contexts the user did not clearly intend. For a study assistant that may ingest files, adapt workflows, and potentially use host tools, unexpected activation increases the risk of unnecessary data exposure, unintended actions, or confusion about user consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation and is designed to trigger on a very broad set of common study-related phrases, including generic terms like notes, knowledge base, review, and exam prep. This can cause the skill to activate when the user did not clearly intend to use it, leading to unintended access to retrieval, memory, planning, or subagent capabilities in a sensitive academic-notebook context.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The display text and default prompt are written entirely in Chinese and instruct the system to act in Chinese without checking the user's language preference. While not a direct code-execution risk, this can override user expectations, reduce transparency around tool use, and increase the chance that consent or retrieved content handling is misunderstood.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill enables implicit invocation globally without defining narrow trigger conditions, exclusions, or user-confirmation boundaries. In a study assistant that ingests course materials and may shape responses automatically, this can cause the skill to activate in unintended contexts, leading to surprise prompt injection exposure, unintended data handling, or behavior override without clear user intent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables implicit invocation globally without defining narrow trigger conditions or contextual constraints. In a broad educational assistant that handles course materials, grading, planning, and retrieval across environments, this increases the chance the skill activates unexpectedly and processes sensitive user content or alters conversation flow without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation without any scoped triggers, exclusion rules, or trust boundaries, which can cause the teaching agent to auto-activate in contexts where the user did not clearly request it. Because this skill is designed to ingest course materials, grade answers, and potentially probe IDE/runtime capabilities, unintended activation could expose sensitive files, pull in unrelated workspace context, or perform actions the user did not mean to authorize.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Enabling implicit invocation without tight trigger constraints makes it easier for the skill to activate in situations where the user did not knowingly request this adapter behavior. Because this skill also instructs capability probing and broader IDE-agent operations, unintended activation can lead to unanticipated inspection of files, project state, or tool capabilities.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly tells the agent to probe potentially impactful capabilities such as file editing, shell, browser/search, diagnostics, project commands, and persistence, but it does not require a user-facing warning or consent flow first. Even if probing is intended as feature detection, in practice such checks may touch sensitive environment state or normalize risky tool use without informed user approval.

Vague Triggers

Medium
Confidence
92% confidence
Finding
Enabling implicit invocation without trigger constraints allows this skill to activate in broad study-related contexts while carrying instructions to probe optional capabilities. That combination increases the likelihood of the agent accessing tools or data without a sufficiently specific user request, making overreach more dangerous in normal operation.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill advertises very broad natural-language triggers for invocation, including many generic study-related phrases. In environments where skills are auto-routed from user intent, this can cause unintended activation, leading to inappropriate access to files, memory, or other learning workflows without the user clearly selecting this skill.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing table maps short, ambiguous Chinese phrases directly to actions and multi-step workflows without scope checks, confirmation requirements, or explicit exclusions. In a study assistant that can organize materials, grade work, and build plans, overly broad triggers can cause unintended actions, misrouting, or processing of the wrong content based on casual phrasing.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The file is explicitly designed for Chinese natural-language routing and does not provide user language choice or opt-in, which can cause incorrect assumptions about language preference and accidental command routing. In this educational skill, the primary risk is reliability and consent around workflow selection rather than direct security compromise, but it can still lead to unintended handling of notes, papers, or study plans.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to persist study snapshots and machine-readable state to local files automatically, but does not require explicit user notice or consent before storing potentially sensitive educational data. This can expose course history, performance weaknesses, goals, and uploaded-material metadata to other local users, tools, or later processes without the user's awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal