ClawHub
Back to skill

Security audit

Bilingual Learning

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed bilingual learning skill that locally stores vocabulary lists and changes responses when invoked, with no evidence of hidden execution, credential access, network transfer, or unrelated destructive behavior.

Install this only if you want the agent to add bilingual learning content, checks, and quizzes to responses. Expect local vocabulary history to be saved in the skill's data files, and use the delete or clear commands carefully because they can remove saved word lists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation describes capabilities to read and write persistent local files (`data/new_words.json`, `data/known_words.json`) and provides CLI commands that modify them, yet no permissions are declared. Hidden or undeclared stateful file access weakens user and platform trust boundaries because activation of the skill could cause unexpected persistence or modification of local data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose is a conversational bilingual-learning overlay, but the documented behavior includes persistent vocabulary management, standalone administration commands, and randomized exam workflows that go beyond that description. This mismatch can mislead reviewers and users about what the skill actually does, obscuring state changes and data-handling behavior that affect privacy and integrity.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The file implements a standalone word-library management CLI with add/delete/exchange/list/clear capabilities, which does not align with the skill metadata claiming bilingual-learning output processing. In an agent skill context, this functionality mismatch is dangerous because it introduces undeclared stateful and destructive capabilities that could be invoked to manipulate local data outside the user-expected scope.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The delete, exchange, and clear operations modify or erase vocabulary data even though the stated skill purpose is presentation-oriented bilingual learning. Hidden destructive operations increase risk because an agent or user may trigger data loss under the assumption the skill only reformats or teaches content.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The README explicitly says the agent will force bilingual-learning processing before every final output, regardless of user preference. Mandatory output transformation can override user intent, interfere with higher-priority task behavior, and create prompt-scope violations by injecting unsolicited content into responses.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation criteria are broad enough to trigger during ordinary conversation whenever the user 'wants to casually learn English' or receive passive vocabulary exposure. Ambiguous triggering increases the chance the skill runs unexpectedly, causing unsolicited behavior changes and possible persistent writes without clear, situational consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The detection layer states that words the user does not understand are automatically written into a vocabulary library, but the description does not warn users that this creates persistent records. Silent persistence of inferred user knowledge can expose learning history and preferences and violates expectations of ephemeral chat behavior.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The skill claims it will forcibly apply bilingual processing before the agent's final output, removing user control over how responses are delivered. Forced output transformation can interfere with task accuracy, safety messaging, accessibility, and user intent, especially in contexts where concise or exact wording matters.

Natural-Language Policy Violations

High
Confidence
92% confidence
Finding
The overview says the agent will inject learning checks into normal coding conversations so the user 'unconsciously' learns vocabulary, indicating deliberate unsolicited manipulation of responses. In context, this is more dangerous because it targets everyday interactions and can alter answers, interrupt workflows, and collect inferred knowledge state without explicit consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The clear command irreversibly wipes the selected library immediately, with no confirmation prompt, dry-run option, or recovery mechanism. In an agent-integrated environment, accidental invocation or argument confusion can cause total data loss very easily.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file explicitly describes and implements mixed-language/bilingual output as part of the exam flow without any visible user opt-in or runtime consent check. In an agent setting, forced output transformation can override user intent, create prompt-scope confusion, and increase the risk of unintended instruction injection or policy bypass through unrequested language switching.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.