ClawHub

IELTS

Security checks across malware telemetry and agentic risk

Overview

This IELTS study skill is instruction-only and purpose-aligned, with disclosed local progress storage but no evidence of exfiltration, hidden execution, or privilege use.

Before installing, understand that this skill may create local IELTS records under ~/ielts/ containing goals, exam dates, scores, essays, transcripts, recordings, and feedback corrections. Avoid storing unnecessary sensitive details, and review or delete that folder when you no longer need the history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly states that user data is stored persistently under ~/ielts/ but does not warn the user or request consent before local writes. Because the stored content includes profiles, essays, transcripts, recordings, and progress logs, this can expose sensitive personal and educational data to unintended retention, local compromise, or privacy surprises.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to persist user corrections to `~/ielts/agent-learning.md`, which creates a retention mechanism for user-provided content outside the immediate interaction. Even if the content seems low sensitivity, it may contain personal learning details or free-text disclosures, and the file write occurs without any notice, consent flow, retention limit, or minimization guidance.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to log corrections in a persistent local file causes user-supplied content to be retained beyond the current session, which can expose prior interactions to other processes, users, or later prompts with file access. In an IELTS coaching context, corrections may include study history, weaknesses, test readiness, and other personal educational data, making uncontrolled persistence a real privacy risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal