ClawHub

English Bestie

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Telegram English tutor, but it needs Review because it stores learner data and creates ongoing automated Telegram outreach with limited user controls.

Install only in a dedicated OpenClaw workspace with a dedicated Telegram bot and a consenting student. Review openclaw.json, SOUL.md, HEARTBEAT.md, and all cron jobs after setup; protect the Telegram token; reduce or remove unwanted scheduled messages; and decide how learner profile, mistake, and conversation-history files will be reviewed or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs reading and writing numerous files under `{baseDir}/tracking/*`, but its metadata declares no corresponding permissions. This creates a capability/consent mismatch: an operator or user may believe the skill is limited to teaching via Telegram, while it persistently accesses local data stores and modifies state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared description presents a friendly English-teaching Telegram skill, but the behavior includes substantially broader operational setup and persistent identity/data handling. Description-behavior mismatch is dangerous because it undermines informed consent and can hide installation, credential handling, or data collection actions that a user did not reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The heartbeat expands the skill from delivering daily lessons into proactive social engagement, including news/article sharing and casual chat prompts. That broadens behavior beyond the declared role and can lead to unbounded autonomous outreach, greater data processing, and user surprise about how the agent will interact.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill monitors recent casual English messages, corrects them, and persists every mistake, which goes beyond running daily lessons into continuous surveillance-like analysis of general conversation. In context, this increases privacy risk because ordinary chat content is being repurposed for long-term tracking without a narrow necessity boundary.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs creation of 12 standing cron jobs for proactive outreach throughout the day, well beyond responding to explicit user requests. Autonomous multi-touch messaging increases abuse potential, can spam or harass users, and may continue after user expectations change unless tightly bounded by consent and clear stop controls.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The instruction to self-schedule follow-up after every interaction creates an open-ended feedback loop of autonomous contact. Without strong limits, this can lead to runaway scheduling, persistent unsolicited messaging, and difficulty auditing or stopping future actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs unsolicited Telegram nudges after periods of inactivity without clearly disclosing autonomous outbound messaging or allowing the user to control frequency. This creates consent and privacy concerns, especially because inactivity itself is behavioral data used to trigger contact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Logging every mistake from casual conversation to persistent storage is a clear retention and privacy issue because user-generated content is being stored beyond the immediate interaction. Without notice, retention limits, or minimization, this can accumulate sensitive personal language samples and behavioral history.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The weekly workflow writes multiple tracking artifacts and sends a summary via Telegram, but the skill does not clearly warn that internal profile data will be updated and then shared outward. This can surprise users and leak more progress or personal-learning information than they expect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Self-scheduling autonomous follow-ups via cron creates durable future actions outside the current interaction, yet the skill does not clearly warn users that it will schedule outreach on its own. This is more dangerous than a one-off reminder because it enables ongoing autonomous contact and can persist even after user expectations change.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly describes unsolicited, frequent Telegram outreach and long-term storage of sensitive learner data such as profile details, mistakes, reflections, and full conversation history, but does not provide a clear privacy, consent, or retention warning. This creates a real security and safety risk because operators may deploy the skill without informed user consent, exposing personal data and enabling intrusive monitoring-like behavior through a consumer messaging platform.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding section states that the agent will automatically schedule 12 daily cron jobs and begin proactive messaging, but the README does not surface this as a prominent operational warning before installation or first run. This is dangerous because users may unintentionally deploy an agent that initiates repeated automated contact, leading to spam, harassment, unexpected costs, or messaging to a student before proper consent and configuration checks are completed.

Vague Triggers

High
Confidence
97% confidence
Finding
`always: true` gives the skill an overly broad invocation condition, making it active in all contexts instead of only when requested or relevant. That expands the chance of accidental triggering, unintended file access, and unsolicited outreach behaviors being executed outside the expected lesson workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes persistent proactive messaging and multiple daily scheduled contacts without presenting a clear warning about message frequency, autonomy, or how to stop it. This is risky because users may unknowingly enable a system that behaves more like an always-on outreach agent than a lesson responder.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads and writes a large set of tracking files containing learner profile data, conversation history, mistakes, and reflections, but does not provide an explicit privacy notice or retention disclosure. Users may therefore share personal information without understanding that it will be persistently logged and reused across sessions.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The forced 'American friend' and native-speaker identity is primarily a transparency and impersonation concern rather than a severe exploit primitive. It can still mislead users about the system's identity or cultural background, especially because the persona is mandatory and not disclosed as role-play/teaching style.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file explicitly states that onboarding/session data will be auto-populated and that assessments, lesson summaries, conversation logs, and progress notes will be recorded, but it provides no notice about consent, retention, access controls, or deletion. In a Telegram voice-based teaching skill, this creates a real privacy risk because users may share personal data in spoken conversations and reasonably not expect persistent storage without clear disclosure and controls.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction to log every mistake from casual conversation mandates continuous collection of user-provided content beyond what is strictly needed to answer or teach in the moment. In an English-teaching context, that data may include personal anecdotes, health, work, or relationship details embedded in messages, making persistent storage particularly sensitive.

Ssd 3

Medium
Confidence
97% confidence
Finding
The onboarding flow collects and persists personal data including name, native language, work/study, hobbies, goals, interests, Telegram identifiers, and assessed weaknesses. Broad collection plus durable storage in plain files raises privacy and profiling risks, especially when the skill does not justify minimization or present retention/consent controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to remember every mistake, keep private reflections, and repeatedly reuse full historical data to shape future interactions. This creates a broad behavioral profile of the learner and accumulates sensitive educational and personal data beyond what many users would expect from a casual teaching bot.

Ssd 3

Medium
Confidence
96% confidence
Finding
Requiring the agent to always read all tracking files, including full conversation history and student profile, at the start of every interaction enforces maximum data exposure on every run. Even if the current interaction only needs a small subset of context, the design guarantees broad access and increases blast radius if the skill is misused or compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal