ClawHub

cs-learning-assistant

Security checks across malware telemetry and agentic risk

Overview

This is a coherent learning-assistant skill that keeps local study/profile notes, so users should be aware of the persistence but there is no evidence of malware, exfiltration, or deceptive behavior.

Install this only if you are comfortable with it maintaining local Markdown files about your learning goals, weak areas, review schedule, and session history. Avoid pasting secrets, credentials, or highly sensitive project details into study notes, and periodically review or delete the workspace files if they become too personal or inaccurate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest presents a learning assistant, but the body of the skill adds persistent profile management, session counters, anchor files, and lifecycle state handling that materially expand its behavior beyond simple instructional assistance. This hidden expansion increases privacy and data-retention risk because users may invoke a study helper without realizing it will maintain longitudinal records and structured session state.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill defines a long-term user profiling system with initialization, passive accumulation, and snapshot rebuilding across sessions. Even in an educational context, this creates a persistent behavioral record that can expose sensitive learning history, weaknesses, and preferences without a clearly necessary or proportionate justification.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill mandates automatic creation and maintenance of workspace files such as learning indexes, review schedules, and anchor files at session start and end. Automatic persistence of session-derived data broadens the attack surface and retention footprint, especially if users are not clearly informed that ordinary educational interactions will be logged into structured files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This module directs the skill to initialize, persist, and rebuild a long-lived user profile in workspace files, which goes beyond a narrow technical Q&A or tutoring function and creates durable learner tracking. Persistent profiling increases privacy risk, enables unnecessary retention of user attributes and learning history, and can be triggered broadly whenever profile modifications are involved.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains broad phrases such as 'code analysis', 'study plan', 'deep research', and 'explain concept' that can match common user requests outside the intended scope. Overbroad triggering can cause accidental invocation of the skill's persistent profiling and file-management behavior in contexts where the user did not intend to enable it.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The module activates on very generic requests such as '解释', '分析', or '深入探讨', which are common in ordinary conversation and can cause unintended invocation of the skill. Over-broad triggering increases the chance that the agent routes unrelated user input into this skill, leading to misclassification, prompt-scope confusion, or accidental disclosure of internal skill behavior in contexts where it was not intended.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation guidance is overly broad for a skill that handles general technical learning. Phrases like deep research, explain concept, and generic study-oriented requests can cause the skill to activate outside clearly intended boundaries, increasing the chance of prompt-routing mistakes, unexpected behavior, or interception of requests meant for another skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The Socratic mode trigger relies on very generic phrases such as “帮我理解” and “为什么是这样”, which commonly appear in many unrelated conversations. This can lead to accidental mode switching or misclassification of user intent, reducing predictability and potentially causing the assistant to withhold direct answers when the user did not request that interaction style.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The line states that the module should trigger whenever a specific type of file needs to be created, which is broad and underspecified. In an agent system, ambiguous trigger criteria can cause the skill to activate in unintended contexts, leading to unwanted file generation, incorrect routing, or collection/storage of user data in structured files without clear user intent.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The entire template set is written in Chinese and defines Chinese-first headings, labels, and command examples without indicating language negotiation or fallback behavior. This can cause the agent to produce outputs in a language the user did not request, increasing the risk of user confusion, misinterpretation of technical content, and reduced reliability in code-learning or interview-preparation contexts where precision matters.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The module says it should trigger whenever the current topic belongs to one of several categories, but it does not define precedence, confidence thresholds, or explicit routing boundaries. In an agent system, this can cause unintended activation on loosely related prompts, leading to misrouting, policy interference, or application of the wrong instructional behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are very broad across multiple categories, such as general technical terms that commonly appear in many benign or unrelated requests. This increases the chance that the skill activates outside its intended scope, which can override other safer or more appropriate skills and produce confusing or policy-inconsistent behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger condition uses very broad phrases like “调研 / 调查 / 检查最新信息,” which can match many ordinary user requests outside the intended technical-learning scope. This can cause the skill to activate unexpectedly and steer interactions into external-information gathering behavior, increasing the chance of scope overreach, unintended data access patterns, or user confusion about why research workflows were invoked.

Natural-Language Policy Violations

Medium
Confidence
75% confidence
Finding
The strategy hardcodes Chinese-language source preferences as the default without checking user language preference or the topic’s best source language. In a research skill, this can bias retrieval quality, omit authoritative English-first sources, and systematically reduce accuracy or completeness for fast-moving technical subjects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the agent to automatically append and update `workspace/LEARNING_INDEX.md` at the end of every session, creating persistent writes to user data without requiring explicit user consent or warning. In an assistant context, silent persistence can leak sensitive study history, create unwanted records, and violate user expectations about when files are modified.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs updates to `workspace/USER_PROFILE.md` when confusion or mistakes are resolved, but does not require notifying the user that a profile-like file is being changed. Profile updates are more sensitive than ordinary notes because they accumulate behavioral and performance history over time, which can expose personal learning patterns or be used in unexpected downstream context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
该模块会在会话结束或接近上下文限制时将会话摘要、待办事项、文件列表等内容写入 `workspace` 中的锚点文件,但文档未要求显式告知用户或征得同意。若会话中包含敏感信息、内部路径、项目细节或凭据片段,这种静默持久化会扩大数据暴露面,并可能导致后续被其他流程、用户或代理读取。

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger condition 'when any profile modification operation is involved' is overly broad and underspecified, which can cause the agent to activate profile-writing behavior in situations the user did not clearly request. In a skill that already handles persistent user data, ambiguous triggers make unintended collection and modification more likely.

Vague Triggers

Medium
Confidence
82% confidence
Finding
Using 'at the end of each session Step A' as a trigger is not self-contained and leaves activation timing unclear, which can result in automatic profile updates without transparent user awareness. While this is more of a control/quality issue than an exploit primitive, it becomes security-relevant because it governs writes to persistent user-tracking files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that the assistant will automatically generate and maintain persistent user data files, including a user profile, learning goals, growth history, and review schedule, but it provides no privacy notice, retention policy, consent flow, or data minimization guidance. In a learning assistant context, this is meaningfully risky because users are likely to share personal background, career goals, interview preparation details, and code snippets, all of which may be stored across sessions without clear disclosure or lifecycle controls.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs persistent collection and retention of user profile data across sessions, including passive accumulation and snapshot rebuilding. Long-term storage of user-provided learning data creates privacy risk and can enable unintended inference about interests, skill gaps, progress, and behavior over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal