warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:28
- Finding
- Prompt-injection style instruction pattern detected.
Tutor Buddy Pro
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A parent or student may believe progress data never leaves the device, while the package includes a design for sending it to a web dashboard.
Why it was flagged
The package makes strong local-only and security-audited claims, but another included artifact describes syncing the same learning data to a web dashboard. That contradiction can lead users to trust privacy guarantees that are not fully accurate.
Skill content
README.md: "Codex Security Verified" and "Your data stays on your device"; SECURITY.md: "All data stays on the user's local device"; DASHBOARD-SPEC.md: "The skill runs locally and stores data in JSON files. The dashboard lives on the web... can optionally POST to /api/sync"
Recommendation
Qualify the privacy claims, clearly mark dashboard sync as optional, and document destination, authentication, consent, encryption, and retention before any sync is used.
What this means
Student learning records, problem text, quiz scores, and study plans could be copied into a cloud dashboard if that add-on is implemented or enabled.
Why it was flagged
The dashboard design covers sensitive learner data, including potentially homework text/images and academic performance, and contemplates web and scheduled sync without specifying access controls or retention.
Skill content
Schema includes `users` with `name` and `grade_level`, `queries` with `raw_text` and `image_url`, `quiz_results`, `study_plans`; Data Sync Strategy says `POST /api/sync` and "Periodic sync... can auto-sync on a schedule."
Recommendation
Use local-only mode unless you explicitly want dashboard sync. For minors, require clear parental consent and document where data goes, who can access it, how long it is kept, and how it can be deleted.
What this means
A crafted or poisoned profile, topic, or quiz entry could run browser-side code when creating a progress report and potentially expose report contents.
Why it was flagged
Values loaded from persistent JSON files are inserted into HTML without escaping and then opened in a Chromium browser through Playwright. If saved learner or quiz data contains HTML/JavaScript, it could execute when the report is generated.
Skill content
name = profile.get("name", "Student") ... topic_rows += f"""...{display_name}...""" ... quiz_rows += f"""...{q.get('topic', 'N/A')}...""" ... page.goto(f"file://{temp_html}")Recommendation
Escape all user-controlled values with an HTML-escaping function, validate stored fields, and disable JavaScript or block network access in Playwright when rendering static reports.
What this means
Running setup in the wrong workspace could overwrite an existing Tutor Buddy profile, quiz history, or similarly named data file.
Why it was flagged
The setup prompt asks the agent to run local shell commands and initialize data files. This is purpose-aligned, but the redirection commands overwrite existing files with those names.
Skill content
"Paste this entire message to your AI agent. It will set up Tutor Buddy Pro automatically" and `echo '{}' > data/learner-profile.json`, `echo '[]' > data/quiz-history.json`Recommendation
Run setup only in the intended skill workspace, back up existing data files first, and prefer setup scripts that check before overwriting.