ClawHub

math-grade2-spring

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only elementary math tutoring skill; its main caution is optional tracking of a child’s progress and mistakes without a privacy notice.

Install only if you are comfortable with the agent discussing or remembering a child’s learning progress and mistakes. Avoid sharing identifying details about the student, and clear conversation or memory data if you do not want progress information retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises study progress tracking, time statistics, correctness rates, and automatic wrong-answer recording, but provides no notice about what learner data is stored, for how long, or who can access it. Because the skill is aimed at children, undocumented collection or retention of educational data is more sensitive and can create privacy and compliance risks if personal or behavioral data is persisted without clear disclosure and minimization.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description is broad enough to match generic requests like '数学学习' or '数学辅导', which can cause the skill to activate outside its intended narrow scope. Over-broad activation can route unrelated conversations into this skill, increasing the chance of inappropriate responses, mishandling of user context, or unintended collection of student-related progress data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly describes recording learning chapters, study duration, accuracy rates, and wrong-answer history, but provides no notice about what data is stored, for how long, who can access it, or whether parental consent is needed. Because the target users are children, this omission is more sensitive than usual and can lead to privacy harm, unnecessary retention of minors' educational data, or noncompliance with child privacy expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal