ClawHub

CPA

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only CPA study helper that stores exam progress locally and may use calendar or student-progress data, but the behavior is disclosed and aligned with its purpose.

Install only if you are comfortable keeping CPA study records in ~/cpa/. Keep that folder private, avoid saving unnecessary score reports or identifiers, approve calendar access only when needed, and require explicit candidate consent before sharing progress with parents, tutors, or others.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs persistent storage of detailed user study data under ~/cpa/ without explicitly informing the user that local files will be created and retained. This can expose personal educational history, exam results, timelines, and state application details to other local users, backups, or later sessions without the user's clear consent.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill instructs the agent to persist CPA exam pass dates and expiration data under a user home directory without any guidance on consent, minimization, retention, or file protections. While the data is not highly sensitive like credentials, it is still personal progress and scheduling information, and unnecessary disk persistence can expose private educational status to other local users, backups, or downstream tools.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill says it will 'scan calendar for available study blocks' without stating that calendar access requires explicit user consent, what data will be read, or how much of the calendar will be processed. Calendar contents can reveal sensitive personal and work information, so silent or assumed access creates a meaningful privacy and over-collection risk.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill proposes detailed analysis of prior CPA score reports and topic performance but does not warn that exam-performance data is sensitive personal information. While less severe than full financial or health data, this can still expose educational records, weaknesses, and personal history if collected or retained without clear disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The parent-support section mentions progress visibility and periodic summaries 'with candidate permission,' which is a positive signal, but it still lacks concrete privacy controls around what is shared, how consent is obtained, and whether consent is revocable. Because this involves sharing a candidate's study progress with a third party, ambiguous consent handling can lead to unauthorized disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tutor section describes maintaining separate tracking per student and generating aggregate insights across students without any privacy notice, consent language, or de-identification requirement. Multi-student tracking increases the chance of cross-student data exposure, and aggregation can still leak sensitive patterns if not properly anonymized.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal