ClawHub

数学教育助手

Security checks across malware telemetry and agentic risk

Overview

This is a Chinese K12 math tutoring skill made of markdown guidance only, with no code, credentials, persistence, or external access requested.

Safe to install based on the reviewed artifacts. Use it for math-learning requests, avoid including unnecessary personal information in homework images or prompts, and verify important generated answers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description says users can trigger it with natural-language math-learning requests and emphasizes broad coverage, but it does not define concrete activation boundaries. In an agent environment, overly broad triggering can cause unintended invocation on adjacent queries, leading to inappropriate tool use, context confusion, or disclosure of user content to the skill when another capability should have handled the request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The line stating that natural language alone is sufficient to trigger the skill reinforces permissive activation without constraints or disambiguation logic. This increases the chance the skill activates on loosely related educational or numeric requests, which can degrade routing integrity and expose more user input than necessary to this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The listing states users can invoke the skill with natural language and "无需记忆任何指令," which describes a broad trigger surface without clear boundaries. In a skill-routing environment, this can cause over-invocation on loosely related prompts, leading the skill to receive conversations it should not handle and increasing prompt-scope or context-confusion risk.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The usage section gives only positive examples and says natural language is sufficient, but provides no trigger constraints, disallowed cases, or ambiguity handling. This makes accidental or excessive activation more likely, especially for short requests that resemble tutoring but are outside the intended K12 math scope.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal