ClawHub

高考 (Gaokao)

Security checks across malware telemetry and agentic risk

Overview

This Gaokao study skill is a coherent local study assistant, with privacy caveats because it stores detailed student progress and inferred patterns on the user’s machine.

Install only if you are comfortable keeping exam-prep records locally under ~/gaokao/ or ~/gaokao-tutor/. Avoid storing unnecessary full names, school details, health notes, or multi-student records on shared or synced machines, and periodically review or delete the stored files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill explicitly stores detailed student data under ~/gaokao/, including profile information, study sessions, mock results, weak areas, and feedback, but provides no retention notice, privacy warning, or guidance on protecting that data. Even though storage is local, these records may contain sensitive educational and personal information that could be exposed to other local users, backups, sync tools, or unintended reuse by the agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly stores persistent user feedback and inferred behavioral/performance patterns such as study times, burnout signals, anxiety timing, and weak areas, but the privacy notice is too general and does not clearly disclose the sensitivity and breadth of these inferences. This creates a real privacy risk because users may not understand that the agent is profiling them over time and persisting those derived insights across sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal