ClawHub
Back to skill

Security audit

Study Buddy - 牛宝华版

Security checks across malware telemetry and agentic risk

Overview

This is a coherent study-helper skill, but it is prototype-quality and should be used only with awareness that it relies on Feishu Bitable and has broad activation phrases.

Install only if you are comfortable with a Feishu Bitable-backed study tool and non-sensitive learning data. Treat progress, wrong-answer storage, and reminders as incomplete until the publisher adds clearer privacy terms, narrower triggers, opt-out/deletion controls, and redacted logging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The header comment claims the skill tracks study duration, but the implementation never records or computes it. This creates misleading functionality and can cause users or downstream systems to trust inaccurate progress data, which is a security-relevant integrity issue even if it is not direct code execution or data theft.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function claims to return data from cache or database, but when no cache entry exists it fabricates plausible-looking default stats. Returning invented progress data as if it were real undermines data integrity and can mislead users into making decisions based on false records.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The category statistics and recent study history are hardcoded simulated values but are presented in the formatted message as the user's actual learning progress. This is deceptive behavior from a data-integrity perspective and can cause users to trust fabricated analytics and recommendations.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
Session state is stored with userId as the key, but answer handling retrieves it with sessionId and batch grading deletes using session.userId, which is never set in the stored object. This inconsistency can cause failed lookups, stale sessions that are never removed, and misbinding of one user's answers to another logical session if callers supply inconsistent identifiers.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The user-facing response states that wrong answers were automatically added to a mistake notebook and that review reminders will be pushed, but the persistence code is commented out and no reminder mechanism exists. This is a trust and integrity issue: users may rely on retention and reminder features that are not actually happening, which can mislead them about data handling and study progress.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The main request path calls generateDailyPlan(), which returns a flat plan object, but formatPlanMessage() expects a richer structure with plan.today and plan.tips. This mismatch causes runtime exceptions on normal use, and the catch block reflects raw error.message back to the user, creating a denial-of-service-style reliability issue and minor information leakage about internal implementation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The fallback implementation writes full wrong-answer data, including user ID, question ID, and answer content, to application logs instead of storing it in the intended data store. Logs are often broadly accessible, retained longer than expected, and forwarded to third-party observability systems, so this creates an unintended disclosure path for user learning data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The documented trigger phrases include very broad everyday terms such as help, statistics, progress, and generic study-related words. In an agent skill system, overly broad triggers can cause unintended activation, which may lead to unexpected processing of user messages and accidental access to external systems or stateful actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The summary states that the skill can create, update, and delete Bitable records but does not disclose when destructive or modifying actions may occur. Users and operators may therefore enable or test the skill without understanding that it can alter external data, increasing the risk of accidental data loss or unauthorized modifications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill integrates with Feishu Bitable and discusses progress tracking and wrong-answer management, but the summary does not warn that user study activity and progress data may be transmitted to an external service. This creates a transparency and privacy risk because users may unknowingly share personal learning history, performance data, or identifiers with a third-party platform.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example trigger phrase is very generic and resembles ordinary user conversation, which can cause the skill to activate unintentionally in unrelated contexts. In a chat-based agent environment, overly broad triggers can lead to accidental invocation, unexpected data access, or confusing behavior even without malicious intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger example lacks clear scoping and could match common conversational requests outside the intended skill workflow. This increases the chance of unintended activation and may cause the agent to respond as the skill when the user meant something else.

Vague Triggers

Medium
Confidence
90% confidence
Finding
A phrase like checking 'my learning progress' is broad and naturally occurs in ordinary chat, making it ambiguous as an activation trigger. In systems that route based on natural-language matching, this can produce accidental skill activation and expose or modify user-specific study records unintentionally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README indicates storage of user learning records and use of a cloud database, but it does not warn users what data is collected, how long it is retained, who can access it, or how it is protected. This creates privacy and compliance risk because users may provide answers, progress data, and study history without informed consent or clear handling expectations.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The trigger list is extremely broad and includes common terms like “帮助”, “测试”, “功能”, “日语”, and “进度”, which can cause the skill to activate during ordinary conversation rather than explicit user intent. In this skill, accidental activation is more dangerous because it can lead to unintended study-flow actions and, more importantly, downstream data writes such as recording wrong answers to Feishu Bitable without a clearly scoped invocation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill states that wrong answers are automatically stored in Feishu Bitable, but it does not present a clear user-facing privacy notice or obtain consent before transmitting and persisting study records to an external service. This creates a real privacy and data-governance risk because users may unknowingly cause their responses, mistakes, and potentially identifying study history to be stored remotely.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code logs users' wrong-answer content without consent, warning, or any minimization, exposing educational interaction data through operational logs. In this skill context, the data may appear low sensitivity, but it is still user-generated content tied to a user ID and can leak through log aggregation, support access, or incident response tooling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal