ClawHub

homework-grader

Security checks across malware telemetry and agentic risk

Overview

This is a coherent homework-grading helper that processes teacher-provided homework files locally and creates reports, but those reports can contain sensitive student information.

Install this only in a trusted Python environment and use a dedicated folder for input images and generated files. Prefer student numbers or pseudonyms instead of real names when possible, verify you are authorized to process the homework data, and store or delete generated Excel/PDF reports according to your school or organization’s privacy rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill describes reading uploaded homework images and generating Excel/PDF outputs, which implies file read/write behavior, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and can bypass expected review or user understanding of what the skill can access and create.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This workflow processes student homework images and optionally student names, which are education records and potentially sensitive personal data. The skill provides no privacy warning, consent guidance, retention notice, or handling restrictions, increasing the risk of inappropriate collection, disclosure, or noncompliant processing of student data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill generates Excel and PDF reports containing student performance information, but it does not warn that these files may contain sensitive educational records that can be redistributed or stored insecurely. That omission increases the chance of accidental exposure through shared files, local storage, or onward transmission.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal