ClawHub
Back to skill

Security audit

考公备考追踪

Security checks across malware telemetry and agentic risk

Overview

This study-tracking skill is coherent, but it makes local-only privacy claims while screenshots and records can be sent to model providers, exported with images, or uploaded to Feishu.

Install only if you are comfortable with exam screenshots, notes, performance records, and inferred mood being stored locally, sent to your configured multimodal model for image recognition, and uploaded to Feishu when sync is enabled. Use a dedicated channel/workspace, avoid sending unrelated images, keep Feishu sync off unless needed, and prefer exports without embedded screenshots for sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares platform-agnostic behavior plus optional Feishu sync and multimodal API usage, which implies network access and likely environment/config secret use, yet no permissions are declared. Undeclared capabilities weaken user consent and platform enforcement because the skill can access external services or local configuration without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The documented behavior does not fully match the described capabilities: it includes scheduled reminders, automatic mastery-state changes, onboarding behavior, and references to an OCR path despite claiming unified multimodal handling. Behavior drift is dangerous because users and reviewers cannot accurately predict what the skill will do, especially for proactive messaging, background processing, and image handling paths that may process sensitive study screenshots.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The README explicitly promises that all data stays local and is not uploaded to any cloud, but the same document later describes multimodal model invocation and optional Feishu cloud sync. This is a security-relevant transparency failure: users may share screenshots and study records under a false privacy assumption, causing unintended disclosure to external providers.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The design-principles section claims data does not pass through any third-party servers, which contradicts the documented use of external multimodal models and Feishu synchronization. Such contradictory privacy claims can mislead users into exposing sensitive screenshots, notes, or identifiers to external services they believed were never involved.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
The code explicitly infers a user's mood from study messages and includes that value in the structured output, even though the skill's stated core purpose is study/error tracking. This creates unnecessary collection of sensitive personal-state data and can expand downstream storage, profiling, or sharing beyond what users reasonably expect from a prep tracker.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes syncing wrong-question data and original screenshots to Feishu cloud docs without an explicit privacy/security warning. Because screenshots may contain personal data, exam identifiers, or sensitive notes, users may enable sync without understanding that raw content leaves the local machine and is stored by a third party.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger scope is extremely broad: any mention of studying, mistakes, exam prep, or even any image message may invoke the skill. Overbroad invocation can cause unintended processing and storage of user content, including screenshots and personal notes, in contexts where the user did not intend to activate this data-collecting workflow.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The alias map contains very generic trigger terms such as “语言”, “阅读”, “数学”, “数字”, “逻辑”, “推理”, “作文”, and “分析”, which are common in many unrelated conversations. Because the skill is configured to trigger whenever users mention study, mistakes, or prep topics, these broad aliases can cause unintended activation, routing unrelated user content into OCR, local record updates, Excel export, or Feishu sync flows. In this skill context, the issue is more dangerous because the downstream actions include processing images and syncing data externally, so a false trigger can lead to unnecessary collection or disclosure of user study data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The export intentionally serializes sensitive study records and embedded screenshots into an Excel file on disk, which can preserve personal notes and image content in a shareable artifact without an explicit privacy warning or consent checkpoint. In this skill context, screenshots may contain more data than the user expects, making accidental disclosure via exported files or later sharing more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The image parsing flow sends user-provided screenshots to an external multimodal model via agentCall without any in-function disclosure, consent check, or visible warning. Wrong-question screenshots can contain personal notes, identifiers, or other sensitive educational data, so silent third-party transmission creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function stores the image content itself in returned structured data as raw_image_b64, even after compression, which still preserves the underlying screenshot contents. Retaining full image payloads increases exposure if logs, exports, local records, or Feishu sync destinations are accessed, leaked, or mishandled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal