Security audit

pastoral care德育-Katherine

Security checks across malware telemetry and agentic risk

Overview

This school pastoral-care skill is not malware, but it needs review because it gives under-safeguarded guidance about minors, emergencies, and dorm or device searches.

Review this skill carefully before installing in a school setting. Use it only as advisory support, and require local school policy, legal/privacy review, safeguarding leadership, guardian/student rights procedures, and trained human judgment for crisis, discipline, recordkeeping, searches, or confiscation workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad enough to activate on common school-management or student-support conversations, which can cause the skill to engage in situations where it was not explicitly intended. In a pastoral-care context, unintended activation is risky because it may surface disciplinary, psychological, or crisis-oriented guidance in routine conversations involving minors.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The description references intrusive or sensitive activities such as phone inspections, warning-letter workflows, and student psychological support without any visible privacy, consent, or safeguarding warning. In a school setting involving minors, this omission can normalize invasive actions or cause staff to use the skill without considering institutional policy, legal constraints, or student welfare protections.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill instructs immediate activation and reporting for self-harm, suicide, violence, and sexual assault, but it does not explicitly direct users to qualified safeguarding leads, emergency services, or established crisis-response procedures. In a high-risk student welfare context, incomplete escalation guidance can lead to harmful delay, unqualified handling, or policy-inconsistent responses during emergencies.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guidance operationalizes dormitory spot-checks, searches of personal belongings, and device confiscation, but does not include explicit privacy, consent, proportionality, or safeguarding constraints. In a school setting, this can normalize invasive searches, create legal/compliance risk, and enable misuse against students without clear authorization, documentation, escalation thresholds, or protections against abuse.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.