Back to skill

Security audit

kids-english-teacher

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it turns a child's English homework photo into a downloadable interactive lesson page, with expected but sensitive microphone and child-content handling to review.

Before installing, be comfortable with a workflow that analyzes a child's homework image and saves a generated HTML lesson containing that content. When the page is opened in Chrome, only allow microphone access if a guardian is comfortable with browser speech recognition; the lesson can also be reviewed or edited to remove the microphone feature or the Google Fonts link for more private use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill's trigger conditions are broad enough to match generic requests like '幫我做一個學習頁' when an image is present, which can cause unintended invocation and route users into a workflow they did not explicitly request. In a skill that analyzes uploaded child homework and generates files, overbroad triggering increases the chance of unexpected processing of user content and surprise data handling.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs saving generated output to `/mnt/user-data/outputs/...` and returning it to the user, but it does not clearly disclose that user-derived content will be written to persistent user storage. This can create a transparency and privacy issue because the image-derived homework content, including a child's mistakes, may be retained or exposed in ways the user did not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill mandates a microphone-based speech recognition feature for a child-focused learning page without a clear upfront privacy warning about audio capture, browser permissions, and how speech data may be processed by the browser or platform. Because this is aimed at children's homework, the sensitivity is higher and users should be clearly informed before any audio capture feature is encouraged.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.