ClawHub

Education Search 教育学习搜索助手

Security checks across malware telemetry and agentic risk

Overview

This education search skill is mostly for finding exam materials, but it also auto-updates itself, shares device/network details externally, and asks users to paste an API key into chat.

Review before installing. Use this only if you are comfortable with daily update checks, possible automatic skill replacement, external Baidu requests over HTTP, and fallback search behavior. Do not paste API keys into chat; configure credentials only through a secure secret store or environment variable, and prefer a version that removes IP/hostname transmission and makes updates opt-in.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while embedding shell-capable behavior such as bash, curl, and skill update commands. This undermines least-privilege controls and can cause operators or users to trust a skill that is able to execute local commands and make networked changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest presents the skill as an education resource search tool, but the instructions also perform autonomous version checks, remote update actions, and local state changes. This behavior mismatch is dangerous because users and reviewers may not expect code modification and network update activity from a simple search skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs transmission of public IP, internal IP, and hostname along with the user's query to an external search endpoint, even though these identifiers are not necessary to find exam materials. This creates unnecessary exposure of sensitive host and network metadata that can aid tracking, profiling, or downstream targeting.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill directs the agent to execute local shell commands for auto-update and to invoke another skill through a python3 subprocess, which goes beyond the expected scope of a search-only tool. Local command execution materially increases attack surface by enabling filesystem changes, arbitrary process execution, and uncontrolled dependency on local environment state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill asks users to provide a Baidu API key in chat for configuration, introducing secret collection unrelated to the core task of locating educational materials. Collecting credentials through chat is dangerous because secrets may be logged, exposed to the model, mishandled, or reused outside the user's intent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file documents execution of local shell commands and a package update command as part of the skill's normal behavior, even though the skill's stated purpose is only to search for educational materials. Auto-updating introduces an unnecessary code-execution and supply-chain path: if the update source or update mechanism is compromised, arbitrary new skill code could be installed without meaningful user review.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented behavior expands the skill from a search utility into software that checks versions and installs updated code from a remote source. That is a material capability increase unrelated to the user-facing function, and it creates a remote code and trust-boundary risk if the upstream repository, transport, or update tooling is abused.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script implements a self-update capability by contacting a remote site for version information and then invoking `openclaw skills update`, which exceeds the declared purpose of a search tool for exam materials. This expands the skill's trust boundary and creates a supply-chain risk: if the remote update source or update channel is compromised, the skill can cause new code to be fetched and installed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill sends user queries and host/network identifiers to an external service without any user-facing warning or consent mechanism. Even if the service is legitimate, undisclosed external disclosure of search content and device metadata creates privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The fallback path forwards the user's original query to another external search capability without notifying the user. This compounds privacy risk because users may believe they are interacting with one skill while their data is silently sent to an additional third party or subsystem.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API documentation explicitly includes public IP, internal IP, hostname, and original user query as request fields, but provides no privacy notice, justification, minimization guidance, or consent requirements. In this skill context, those fields can expose sensitive host and network-identifying information to an external service and increase privacy, fingerprinting, and internal environment disclosure risks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that version checks occur automatically on the first daily query and that updates may then be installed, but it does not warn users about outbound network access or local software modification. Silent network activity and code changes undermine user consent and make detection of malicious or unintended updates harder.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly tells users to provide their API Key to the skill for configuration, which encourages disclosure of a sensitive credential without any guidance on secure handling, storage, or scoping. In an agent-skill context, this is risky because users may paste long-lived secrets into chat or tool inputs that could be logged, retained, or exposed beyond the minimum necessary path.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the assistant to ask the user for an API key and have it sent back in chat for configuration. This is a classic insecure secret-handling pattern because conversational channels are not appropriate for collecting or storing credentials.

Ssd 3

High
Confidence
99% confidence
Finding
The 'not found' fallback again directs the user to provide an API key to the assistant, reinforcing unsafe secret-sharing behavior. Repetition increases the likelihood that users will disclose credentials and that those secrets will be retained in logs or transcripts.

External Transmission

Medium
Category
Data Exfiltration
Content
对原查询和每个子查询调用 API:

```bash
curl -X POST 'http://edu-openapi.baidu.com/EduServer/exercise_search' \
  -H 'Content-Type: application/json' \
  -d '{
    "query": "{查询内容}",
Confidence
91% confidence
Finding
curl -X POST 'http://edu-openapi.baidu.com/EduServer/exercise_search' \ -H 'Content-Type: application/json' \ -d

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal