Tutor Buddy Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The tutoring skill is mostly coherent, but it overstates local-only privacy while including cloud dashboard sync plans and has a report script that renders saved student data unsafely.
Before installing, decide whether you are comfortable with local learner profiles, quiz history, and study plans being stored. Do not enable or build the dashboard sync unless its destination, access controls, consent, and deletion process are clear. If you use the progress-report script, fix the HTML escaping issue first or only run it on trusted data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A parent or student may believe progress data never leaves the device, while the package includes a design for sending it to a web dashboard.
The package makes strong local-only and security-audited claims, but another included artifact describes syncing the same learning data to a web dashboard. That contradiction can lead users to trust privacy guarantees that are not fully accurate.
README.md: "Codex Security Verified" and "Your data stays on your device"; SECURITY.md: "All data stays on the user's local device"; DASHBOARD-SPEC.md: "The skill runs locally and stores data in JSON files. The dashboard lives on the web... can optionally POST to /api/sync"
Qualify the privacy claims, clearly mark dashboard sync as optional, and document destination, authentication, consent, encryption, and retention before any sync is used.
Student learning records, problem text, quiz scores, and study plans could be copied into a cloud dashboard if that add-on is implemented or enabled.
The dashboard design covers sensitive learner data, including potentially homework text/images and academic performance, and contemplates web and scheduled sync without specifying access controls or retention.
Schema includes `users` with `name` and `grade_level`, `queries` with `raw_text` and `image_url`, `quiz_results`, `study_plans`; Data Sync Strategy says `POST /api/sync` and "Periodic sync... can auto-sync on a schedule."
Use local-only mode unless you explicitly want dashboard sync. For minors, require clear parental consent and document where data goes, who can access it, how long it is kept, and how it can be deleted.
A crafted or poisoned profile, topic, or quiz entry could run browser-side code when creating a progress report and potentially expose report contents.
Values loaded from persistent JSON files are inserted into HTML without escaping and then opened in a Chromium browser through Playwright. If saved learner or quiz data contains HTML/JavaScript, it could execute when the report is generated.
name = profile.get("name", "Student") ... topic_rows += f"""...{display_name}...""" ... quiz_rows += f"""...{q.get('topic', 'N/A')}...""" ... page.goto(f"file://{temp_html}")Escape all user-controlled values with an HTML-escaping function, validate stored fields, and disable JavaScript or block network access in Playwright when rendering static reports.
Running setup in the wrong workspace could overwrite an existing Tutor Buddy profile, quiz history, or similarly named data file.
The setup prompt asks the agent to run local shell commands and initialize data files. This is purpose-aligned, but the redirection commands overwrite existing files with those names.
"Paste this entire message to your AI agent. It will set up Tutor Buddy Pro automatically" and `echo '{}' > data/learner-profile.json`, `echo '[]' > data/quiz-history.json`Run setup only in the intended skill workspace, back up existing data files first, and prefer setup scripts that check before overwriting.