ClawHub

Study Buddy

Security checks across malware telemetry and agentic risk

Overview

Study Buddy is a local-only study assistant that saves study materials and progress on the user's device, with no artifact evidence of network use, credential access, or hidden behavior.

Install if you are comfortable with the skill saving study notes, flashcards, quiz results, plans, and history under ~/.openclaw/study-buddy/. Avoid storing sensitive personal information in notes, and be aware that generic phrases like "explain" or "review" may activate it unless your agent applies context carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation rules include very generic triggers such as "explain," "review," "notes," and "study," which are likely to match normal conversation unrelated to this skill. Over-broad activation can cause unintended handling of user input, unexpected local data persistence, and interference with other skills or workflows. In this context, the danger is increased because the skill persistently stores notes, history, quiz results, and study metadata.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Although the skill later documents local storage, the user-facing description does not clearly disclose that it persistently stores study content, notes, quiz history, and progress data on disk. This can undermine informed consent and lead users to reveal sensitive educational or personal information without realizing it will be retained. The impact is limited by the claim of local-only storage, but it still presents a privacy risk.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal