Back to skill

Security audit

Teacher Lesson Plans (UK Curriculum)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent teaching-support skill, but teachers should avoid entering unnecessary identifiable student information.

Use initials or placeholders instead of full pupil names where possible, avoid entering safeguarding, medical, behavioral, SEND, or other unnecessary sensitive details, and follow your school or district policy for using AI tools with student information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes generating personalised student report comments but provides no warning to avoid entering personally identifiable student data or sensitive educational information. In an education context, users are likely to paste names, attainment, behaviour, SEND, or safeguarding-adjacent details into the tool, creating a realistic privacy and data-handling risk even if the skill itself is not overtly exfiltrating data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example command includes a student's name in a personalised report-comment prompt, which normalises submission of directly identifying student information without any privacy caveat. Because this skill is aimed at teachers handling minors' records, the context makes the pattern more dangerous: users may infer that entering names and performance details is expected and acceptable.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The listing explicitly encourages generation of personalised student report comments using a student's name, attainment, and effort, which can involve personal data about a child. There is no accompanying privacy guidance, minimisation advice, or warning against submitting identifiable or sensitive pupil information to the system, creating a realistic risk of inappropriate disclosure or non-compliant data handling in a school context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.