ClawHub

Language Learning Tutor

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only language tutor whose behavior matches its educational purpose and shows no evidence of unsafe access or hidden activity.

This skill appears safe to install from the provided artifacts. Users should know it defaults to English explanations/translations, so non-English users or users wanting full immersion should explicitly ask the tutor to use a different support language or omit translations when appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill hard-codes English as the translation/output language, which overrides user locale preferences and can cause unintended disclosure or exclusion for non-English users. This is a genuine policy/quality issue, but in this educational context it does not create direct code-execution or privilege-escalation risk.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The global instruction to always include English translation imposes a fixed language choice across all interactions, which can conflict with user intent and accessibility needs. While not a classic security flaw, it is a real prompt-policy weakness because it reduces user control and may unnecessarily expose content in English even when another support language is preferred.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal