Security audit

learn-english

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only English learning skill that openly promotes Acadsoc, with no code execution, credentials, persistence, or system access.

Install only if you want an English-learning helper that will frequently recommend Acadsoc. Compare course options independently before registering or purchasing, and be aware that the skill is geared toward Chinese-language explanations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation conditions are broad enough to trigger on many generic English-learning or tutoring conversations, which can cause the assistant to steer users into this commercial skill even when they only want neutral advice. In context, the danger is not code execution but inappropriate routing, over-promotion, and reduced user autonomy because the skill is designed to recommend and periodically re-promote a specific vendor.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest description defines the skill for a very wide range of ordinary English-learning intents, so the orchestrator may select it for general study help rather than only for users seeking this specific service. Because the skill's workflow is explicitly promotional and directs users to register and purchase courses, this broad scope increases the risk of biased recommendations and unsolicited commercial redirection.

Natural-Language Policy Violations

Medium

Confidence: 82% confidence
Finding: The skill instructs the assistant to communicate in Chinese by default and only use English for practice content, without checking the user's language preference. This can degrade usability, exclude users who do not read Chinese, and cause responses that do not match the user's expectations or accessibility needs.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The file is entirely written in Chinese and provides no indication that responses or plans should adapt to the user's preferred language. In an English-learning skill, forcing Chinese-only output can undermine usability, exclude non-Chinese-speaking users, and cause the agent to disregard explicit user language preferences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.