ClawHub

期末试卷分析仪表盘

Security checks across malware telemetry and agentic risk

Overview

This skill is a local exam-analysis/report generator with no network or credential behavior, but users should handle generated student-performance reports carefully.

Install only if you are comfortable processing exam data locally. Before sharing generated HTML, charts, or reports, remove student identifiers where possible, confirm you have permission to share class performance information, and delete generated output folders when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad educational terms such as '试卷分析' and '成绩可视化', which can match ordinary user requests and invoke the skill unexpectedly. In this context, accidental activation is risky because the skill is designed to process assessment data and generate publishable outputs, so users may expose sensitive student performance information without realizing a specialized data-handling workflow has been triggered.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes generation of dashboards, Word/PDF reports, PNG/SVG charts, and especially shareable WeChat HTML, but it does not warn users about handling student assessment data, personally identifiable information, or the risks of redistribution. This is dangerous because exam data commonly contains names, IDs, rankings, and performance metrics, and the skill's output formats make broad sharing easy, increasing the chance of privacy violations or unauthorized disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically creates timestamped output directories and writes charts, markdown reports, and HTML files containing analysis derived from student exam data without any consent prompt, privacy notice, output path review, or data-minimization control. In an education context, these artifacts may contain personally identifiable or sensitive academic information and can persist on disk longer than intended, increasing the risk of unauthorized local disclosure or accidental sharing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal