ClawHub

教育征文写作助手

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Chinese education essay helper, but users should redact student and classroom personal information before using it.

Install only if you want a specialized Chinese education-contest essay workflow. Before providing materials, remove student names, IDs, grades, faces, contact details, handwriting identifiers, metadata, and sensitive school records; share summaries or anonymized excerpts instead of raw student work whenever possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad everyday phrases such as '帮我写作文' that can match general writing requests unrelated to the intended contest use case. This can cause accidental invocation, leading users to disclose unnecessary educational or personal information to the skill when they did not intend to use this specialized workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires collection of teacher identity, school affiliation, class details, student characteristics, and teaching-use data without any privacy notice, minimization guidance, or warning not to include personally identifiable student data. In an education context, this creates a realistic risk of exposing protected educational records or sensitive classroom information through prompt input.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Encouraging users to upload teaching plans or student work without a warning materially increases the chance that personal data, student identifiers, evaluations, or copyrighted school materials are shared into the system. Because student work often contains direct identifiers or educational performance data, this is more dangerous than a generic upload prompt.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal