ClawHub

feyman-coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent learning-coach skill that reads local Markdown notes and writes review tasks, with optional user-configured automation but no hidden exfiltration or destructive behavior found.

Install only if you are comfortable with the skill scanning Markdown files in the chosen vault and creating review files under Z_Utils/feynman-coach. Use --dry-run or --list first, set vault_path narrowly, and avoid the GitHub Actions auto-push workflow unless the repository visibility and generated note metadata are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# macOS
        elif sys.platform == "darwin":
            os.system(
                f'osascript -e \'display notification "{message}" with title "费曼教练"\''
            )
Confidence
95% confidence
Finding
os.system( f'osascript -e \'display notification "{message}" with title "费曼教练"\'' )

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
# Linux
        else:
            os.system(f'notify-send "费曼教练" "{message}"')

    def run_daily_review(self):
        """执行每日回顾流程"""
Confidence
96% confidence
Finding
os.system(f'notify-send "费曼教练" "{message}"')

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documents capabilities to read notes, write history files, and invoke shell commands for cron, PowerShell, GitHub Actions, and external integrations, yet it declares no permissions or trust boundaries. This creates a real security issue because users and the host platform are not clearly informed that the skill may access local knowledge bases, persist sensitive learning history, and trigger command execution paths.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The examples document behavior that goes beyond a passive coaching skill by creating files and configuring recurring review workflows. That scope expansion matters because users may trust the documented examples as supported behavior and trigger local persistence or automation without clear consent and without those capabilities being declared in the manifest.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The example states that the skill saves recommendations into the user's notes and sets reminders, which introduces persistent state changes not disclosed in the manifest description. Undeclared write/reminder behavior can surprise users, affect note integrity, and normalize broader-than-expected agent actions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including OS scheduled-task setup in a learning-coach skill expands the operational footprint from educational assistance into host-level automation. Even if framed as convenience, persistence mechanisms can be abused or misapplied, especially when the examples do not discuss security boundaries, interpreter path trust, or least-privilege execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to set up a GitHub Actions workflow that automatically runs a script, stages generated files, commits them, and pushes to the repository without an explicit warning that this will modify repository contents and publish changes remotely. This is dangerous because users may enable unattended write-and-push behavior in a notes repository without understanding the persistence and exposure implications, especially if notes contain sensitive material.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The scheduled task and crontab instructions configure unattended execution of a script that generates review files in the user's project, but the documentation does not clearly warn that automatic runs will write files into the notes directory on a recurring basis. This can lead to unexpected file creation, repository pollution, or accidental inclusion of generated content in backups/sync targets.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it reads notes, stores historical diagnosis records, and can sync or export data to external tools, but it does not provide clear disclosure about what data is collected, where it is stored, retention, or whether external services receive user content. This is dangerous because users may unknowingly expose private study notes, metadata, and learning history to local persistence or third-party systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples describe automatic creation and saving of review files to the user's workspace without a clear warning that local data will be modified. Silent or lightly disclosed writes are risky because users may run examples expecting analysis only, while the skill creates artifacts or alters note organization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Claiming that suggestions are saved and reminders are set without an explicit user-facing warning creates an informed-consent problem for persistent changes. In note-taking environments, even benign automated edits can damage trust, clutter repositories, and create hard-to-audit modifications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal