AI-Integrated STEAM Lesson Generator

Security checks across malware telemetry and agentic risk

Overview

This lesson-plan skill is not executable malware, but it repeatedly tells teachers to send student work, images, accounts, and gallery content through third-party AI tools without adequate privacy or consent safeguards.

Review before classroom use. Use only school-approved AI platforms and accounts, remove student names and identifiers, avoid uploading portraits or identifiable work unless consent and policy allow it, check vendor retention and training terms, and keep galleries private, opt-in, and access-restricted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (9)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly promotes AI-assisted grading and student use of multiple third-party AI tools, but provides no guidance on student privacy, consent, age appropriateness, account requirements, or restrictions on uploading student work. In a school setting, this can lead teachers to submit personally identifiable student data, assessments, or student-generated content to external services in ways that may violate school policy or privacy obligations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill explicitly tells teachers to upload photos, screenshots, or pasted student work to an external AI service for assessment, but it provides no privacy, consent, data minimization, retention, or compliance guidance. In an education context this can expose student personal data, academic records, handwriting, and potentially identifiable information to third-party processing without appropriate authorization.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The lesson explicitly tells teachers to use an external AI service to evaluate student work and to provide screenshots or descriptive details, but it gives no privacy, consent, retention, or data-sharing safeguards. In a school context involving minors, this creates a real risk of exposing student work or identifiable information to third-party platforms in ways that may violate school policy or privacy obligations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The lesson instructs teachers to paste student paragraphs into external AI services for assessment without any warning about personal data, consent, retention, or school policy. In an education context, student work can contain names or identifiable details, so sending it to third-party platforms may expose student data and create compliance risks.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The quick-start setup directs students to create or share accounts on external AI services and use/save generated work, but provides no warning about privacy, account-sharing risks, or third-party data handling. This is especially concerning for minors, because shared accounts and external uploads can expose student data, mix student activity, and undermine accountability and safeguarding.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The lesson instructs students to create accounts on third-party AI/design platforms without any privacy, parental consent, age-appropriateness, or data-handling warning. In a school setting involving minors, this can lead to unnecessary disclosure of student personal data, school email addresses, and usage metadata to external vendors.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The activity suggests uploading a completed student portrait to Tripo3D.ai without warning that student-created work is being sent to an external service. Even if the image is only artwork, it may contain identifiable stylistic, textual, or embedded personal information, and external upload may create retention, reuse, or copyright concerns.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The assessment workflow recommends sending screenshots and descriptive details of student work to an external AI platform but omits any privacy safeguards. In an educational context, this is especially risky because student work, metadata, and evaluative comments may be transmitted to third-party systems, potentially violating school policy, consent requirements, or student privacy obligations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The virtual gallery proposal encourages sharing student portraits with parents or the school community without addressing consent, copyright, or whether the gallery is public or access-restricted. This can expose student-created content more broadly than intended and may reveal identifying information through names, styles, captions, or account links.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal