ClawHub

University

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only study planner that stores learning records locally and has some privacy-sensitive optional features, but its behavior is disclosed, coherent, and purpose-aligned.

Install only if you are comfortable with a local ~/university/ folder containing study materials, goals, schedules, assessments, and progress history. Avoid putting unrelated sensitive files there, review or delete the folder when done, and only enable calendar sync, notifications, or parent/tutor sharing after deciding exactly what data should be visible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly defines a persistent workspace under ~/university/ and instructs the agent to create and populate files there, but it provides no user-facing notice, consent step, or retention guidance. This can surprise users by storing potentially sensitive educational history, goals, exam performance, and uploaded materials on disk, increasing privacy and data exposure risk on shared or unmanaged systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs storing a detailed learner profile in a persistent local file and tracking behavioral and performance signals, but it provides no notice, consent flow, retention limits, or privacy controls around that collection. Even if stored locally, this can expose sensitive educational, behavioral, and schedule data to other local users, backups, synced folders, or downstream tooling without the learner understanding that such profiling is happening.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The parent/tutor visibility section contemplates sharing learner activity, dashboards, alerts, and communication preferences with third parties, but it does not warn the user that their learning data may be disclosed externally or require explicit authorization. In an education context, this is particularly sensitive because progress, struggles, motivation, and performance indicators may reveal personal or potentially protected student information.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The morning briefing is described as something to 'Generate each morning' without clearly defining whether it runs only after explicit user opt-in, on a schedule the user configured, or whenever the agent infers a new day has started. In an assistant context, broad trigger language can cause unintended autonomous planning actions or surprise notifications, which becomes a security and trust issue when the skill acts without a well-bounded invocation condition.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The phrase 'When user has time to study' is ambiguous and could overlap with ordinary conversation about availability rather than a deliberate request to generate a study session. In agent systems, vague activation criteria can lead to unintended execution, unnecessary processing, or behavior that feels intrusive because the assistant acts on inferred intent instead of explicit commands.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The calendar sync section proposes importing external work and personal calendars and detecting free slots automatically, but it does not mention obtaining informed consent, disclosing the scope of accessed data, or warning about privacy implications. Because calendars routinely contain sensitive meetings, locations, personal events, and employer information, silent or under-explained access can expose private data and create excessive data collection risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes a tutor/parent dashboard exposing learner progress, struggles, and deadlines but does not mention consent, access controls, age-appropriate safeguards, or privacy boundaries. In an education context, this can lead to unauthorized monitoring, overcollection of student performance data, and disclosure of sensitive learning information, especially for minors.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal