ClawHub

School

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only K-12 tutoring skill whose child-data handling is sensitive but disclosed and aligned with its educational purpose.

Before installing, decide what child information you are comfortable storing in ~/school/. Avoid entering full names, actual school names, addresses, photos, phone numbers, or location details; use minimal identifiers and school-system/curriculum labels instead. Keep parent verification private, review or delete old records periodically, and verify whether your agent platform truly provides encryption, access controls, and deletion behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill documentation contains a direct privacy contradiction: the workspace schema says `profile.md` stores the child's school, while the safety rules say the system must not ask for or store school names. In a K-12 context, school affiliation is sensitive child data and can increase re-identification risk when combined with age, grade, calendar, and progress records.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims parents can see progress and time but not private conversations, yet the described workflow logs homework topics, weak areas, study activity, and weekly summaries for parents in a way that can reveal the substance of a child's interactions. For minors, ambiguous boundaries around parent visibility can lead to unintended disclosure of sensitive educational or personal context shared during tutoring sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs recording session details, difficulty areas, breakthroughs, homework completion, and sharing weekly summaries with parents, but provides no constraints on data minimization, retention, access control, or safe handling of minors' educational data. In a K-12 context, this creates a real privacy and compliance risk because agents may collect and store sensitive learner information more broadly than necessary or disclose it without clear safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal