ClawHub

Bloom Tutor

Security checks across malware telemetry and agentic risk

Overview

This tutoring skill is mostly coherent, but it quietly creates, uses, and deletes learning-note files in the workspace while instructing the agent not to mention one of them to the user.

Install only if you are comfortable with the skill creating and updating course files in your workspace, appending a root learning-log.jsonl file, scanning local course folders for learning progress, and using a temporary pre-summary.md file that the runtime instructions say not to mention and then delete. Avoid using it in workspaces containing sensitive notes unless you are prepared to inspect the generated files yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match common user utterances such as “继续” and “我想学X”, which can cause unintended activation of the tutoring workflow. In a skill that creates or updates files and changes learning state, accidental invocation can lead to unwanted file operations, context switching, and misleading responses when the user did not intend to use this skill.

Natural-Language Policy Violations

High
Confidence
84% confidence
Finding
A hard requirement to always respond in Chinese removes user choice and can cause the assistant to ignore the user's language context or accessibility needs. While not a direct code-execution risk, it can produce unsafe or misleading interactions if a user cannot understand instructions, especially in an educational workflow that depends on comprehension and feedback.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill instructs the agent to append to a workspace file in the root directory without any explicit user warning or confirmation that local files will be modified. Although the write behavior is narrow and intended for normal tutoring/logging, silent file modification can surprise users, alter project state, and create persistence in the workspace.

Vague Triggers

High
Confidence
90% confidence
Finding
The file mandates '宽松匹配' for collecting summary markers, including ordinary phrases like 'summary [内容]' and question-mark annotations that merely imply summary intent. In a tutoring skill that scans full user-authored documents, this can unintentionally capture content the user did not mean to persist, creating an over-collection and privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to silently create and update a hidden intermediate file containing user notes without notifying the user. Silent persistence of derived or annotated user content reduces transparency and prevents informed consent about storage behavior.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instruction explicitly forbids telling the user that 'pre-summary.md' exists even though it stores their collected notes. This deliberate concealment makes the data-handling behavior more dangerous because users cannot inspect, correct, or delete intermediate material that may include sensitive or mis-collected content.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically deletes 'pre-summary.md' after generating the final summary without warning the user that intermediate notes will be removed. Undisclosed deletion can cause loss of user-authored material, hinder auditing of what was collected, and make it impossible to verify whether the final summary accurately reflects prior notes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal