ClawHub

Master Teacher

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed teaching and progress-tracking helper that writes local course files but shows no hidden, destructive, or exfiltrating behavior.

Install this only in a workspace where saved course notes and progress are acceptable. Avoid putting sensitive personal or confidential project details into lesson responses, review USER.md or MEMORY.md if they contain private profile data, and delete the generated course directory when you no longer want the persisted learning history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises persistent progress tracking and later describes course files being stored in the workspace, but it does not clearly warn users that files will be written and retained across sessions. This can lead to unanticipated persistence of user learning history, topics, or sensitive project-related material in local workspace files, creating privacy and data handling risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script prints `last_student_response` directly to stdout, which can expose prior learner input containing personal data, sensitive prompts, or confidential course context to whoever runs or captures the command output. In a teaching/progress-resume workflow, this disclosure is not necessary for basic resume state and lacks any warning, consent, or redaction, making accidental privacy leakage plausible.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal