ClawHub

parents-homework

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This parenting-support skill is not clearly malicious, but it stores sensitive family and child-related information locally and has significant scope, provenance, and safety-disclosure problems.

Install only if you are comfortable with a locally run parenting tool that may save sensitive family, child, mood, goal, assessment, and conversation data into JSON files. Treat the guidance as educational, not medical, psychological, legal, or crisis care; use emergency services or qualified professionals for self-harm, abuse, violence, or imminent safety concerns. Review or disable the storage behavior before entering private transcripts or child-related details, and be aware that the package identity and documentation are inconsistent.

SkillSpector (21)

By NVIDIA

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared purpose is a focused parenting-support skill, but the finding indicates substantially broader behavior including persistent storage, tracking, analysis, dashboards, and family-structure profiling. In a mental-health-adjacent context, this mismatch is dangerous because users may disclose sensitive family and child data without understanding the scope of collection, retention, and inference being performed.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README makes contradictory claims about dependencies and states that multiple AI agent frameworks are already integrated, while the documented project structure does not include the referenced integration module. This can mislead users into installing unnecessary third-party packages, trusting capabilities that do not exist, or overlooking supply-chain and execution risks introduced by those frameworks.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file materially expands behavior beyond the manifest-described scope, introducing broad three-generation trauma analysis and family power/structure modeling. In a parenting support skill, this scope drift is risky because users may rely on unreviewed mental-health-style inferences and interventions that were not disclosed or bounded in the declared functionality.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The code omits manifest-promised safety-oriented features such as danger-signal detection, age-band guidance, and crisis-handling workflows while presenting other analysis functions as complete. For a parenting/mental-health-adjacent skill, missing these safeguards can mislead users into trusting the tool in situations where triage or escalation logic should exist.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The full-analysis method generates the 'insight wheel' from an empty object instead of the computed trauma analysis, producing incorrect or placeholder output while claiming a complete report. In this context, inaccurate summary visualizations can misinform parents and undermine any downstream decisions based on the report.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The document presents weakly sourced, viral or non-academic material as research-backed authority, which can mislead users into trusting unsupported guidance in a sensitive family and mental-health-adjacent context. In this skill, that increases the risk of harmful recommendations, distorted risk assessment, or overconfident advice affecting parent-child relationships and crisis decisions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file presents itself as a research database and claims a research basis, but the cited provenance appears to be an unverified compilation sourced from a search engine rather than traceable primary studies. In a parenting guidance skill, this can mislead users into treating synthesized or possibly fabricated claims as evidence-backed advice, which increases the risk of harmful decisions in sensitive family or mental-health-adjacent situations.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file self-identifies as being generated for a different skill ('still-growing') than the one under review ('parents-homework'), which is a real supply-chain/integrity issue. In a safety-sensitive parenting/psychology context, mismatched provenance can indicate copied or repurposed content, making it harder to trust scope, assumptions, maintenance ownership, and any linked guidance or future automation built on this dataset.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The analyzer is designed for sensitive parent-child dialogue, and the class initializes a persistent records path under a local data directory for saving analysis artifacts. In this context, storing family communication data creates privacy risk because transcripts and derived analysis may contain highly sensitive emotional, behavioral, or child-related information that can be exposed to other local users, backups, or later misuse.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The interactive workflow automatically saves the full analysis result after processing, without an explicit consent prompt. Because the saved result includes the original conversation messages and timestamps, this silently persists sensitive family transcripts and increases the chance of privacy violations on shared devices or compromised hosts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The metadata promises pattern recognition, danger-signal detection, age-specific guidance, and crisis-handling, but the implementation only performs first-match substring checks against a very small hardcoded list. In a parenting and crisis-related context, this mismatch can create dangerous over-trust: users may assume the tool is screening for serious risk when it can easily miss harmful language, nuanced threats, or urgent crisis situations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The entry point imports and exposes modules for mood tracking, goal management, and parenting-style assessment that go beyond the declared skill scope of pattern recognition, danger-signal detection, age guidance, and crisis handling. This kind of scope expansion is dangerous because it can collect or process additional sensitive family and mental-health data without clear user expectation, review, or manifest disclosure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file identifies itself as 'still-growing 家庭教育技能系统' rather than the manifested 'parents-homework' skill, creating an integrity and provenance mismatch. This is dangerous because reviewers and users may believe they are running one vetted skill while actually executing code originating from or repurposed from another package, undermining trust and security review accuracy.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script appends psychological self-assessment results to a local history file by default, creating persistent records of sensitive mental-health/parenting-related data without clear necessity for the core questionnaire function. On shared devices or poorly secured environments, this can expose intimate behavioral profiles and timestamps to other local users or backup/sync systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly describes storing highly sensitive family, emotional, assessment, and communication records in local JSON files without any privacy warning, retention guidance, access controls, or consent language. In this skill context, the data involves minors and intimate family dynamics, so accidental exposure, insecure sharing, or unauthorized local access could cause significant privacy harm.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill gives crisis guidance about self-harm and suicide signals but does not prominently state that it is not a substitute for emergency or professional mental-health care. In a parenting and youth context, users may rely on incomplete guidance during an acute crisis, delaying emergency intervention and increasing risk of severe harm or death.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs mental-health-style assessment, trauma framing, emotional support, and intervention planning without any disclaimer that it is not a substitute for professional care. This is dangerous because users may over-rely on the tool for serious family conflict, depression, abuse, or crisis situations that require qualified clinical or emergency support.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill is explicitly designed and implemented as Chinese-only, with Chinese prompts, examples, and output formatting, and it does not provide any language negotiation or user choice. This can exclude or mislead users who do not understand Chinese, causing misunderstanding of sensitive parenting-related analysis, but it is not an exploit or code-execution risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Users are asked to enter intimate parent-child conversations, but the interface does not warn that those transcripts will be written locally. In a family guidance skill, this omission is especially dangerous because users may reasonably assume the session is ephemeral while disclosing sensitive child, mental health, or abuse-adjacent details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores highly sensitive family mood and interaction notes in a local JSON file without any notice, consent flow, access controls, or encryption. In this skill context, the data includes intimate parent-child conflict patterns and notes, so accidental disclosure through shared devices, backups, or other local users could cause meaningful privacy harm.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sensitive assessment responses are written to persistent local storage without prior warning, informed consent, or an opportunity to decline retention. Because the data concerns parenting behavior and potentially harmful family dynamics, undisclosed storage increases privacy risk and undermines user expectations for a self-reflection tool.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal