Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
tutor-buddy-pro
v1.0.0AI tutor that guides homework problem-solving with step-by-step Socratic questions, creates personalized study plans, runs quizzes, and adapts to your learni...
⭐ 0· 35·0 current·0 all-time
by@nollio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Socratic tutor, study plans, quizzes, progress tracking) matches the files and instructions: SKILL.md, config, example sessions, a report-generation script, and a dashboard spec. There are no unrelated credentials, binaries, or opaque installers requested that would be disproportionate to a tutoring skill.
Instruction Scope
SKILL.md instructs the agent to use vision tools, transcribe images, read and update local learner data files (data/learner-profile.json, data/quiz-history.json) and to never treat uploaded content as control instructions. Reading/writing those data files is coherent for progress-tracking, but the SKILL.md gives the agent permission to read local data — users should expect local student data to be accessed by the skill. The skill explicitly includes prompt-injection defenses in the system prompt (so the pre-scan patterns are present for defense, not exploitation).
Install Mechanism
There is no external install spec; the package is instruction-only with one helper script. No archives are downloaded from arbitrary URLs and there are no npm/go installs. The generate-progress-report.sh uses Playwright optionally (documented) but Playwright is not auto-installed by the skill.
Credentials
The skill requires no environment variables, no credentials, and no external API keys. It reads and writes local data files (data/) which is proportionate to the stated functionality. The dashboard spec describes a web dashboard and endpoints, but no network sync code is present in the repository; the repo does note this as a future-design risk.
Persistence & Privilege
The skill does not request 'always: true' or elevated privileges. The setup instructions ask the operator to create data directories and change permissions (chmod) and to copy config files into data/ — appropriate for storing local learner data, but the SETUP-PROMPT.md contains fragile 'find' usages (the included CODEX audit flagged a possible path-resolution issue). Running the provided setup commands without verifying SKILL_DIR could accidentally modify unexpected paths; verify the resolved path before executing Step 5.
Scan Findings in Context
[prompt_injection_pattern:ignore-previous-instructions] expected: The pattern was detected in SKILL.md but appears inside explicit prompt-injection defense text (SKILL.md instructs the agent to ignore such strings in uploaded content). Presence is expected and appropriate for defense.
[prompt_injection_pattern:you-are-now] expected: Detected string is used in the SKILL.md as an example of malicious/instruction-like text to be ignored; this is consistent with explicit injection mitigation guidance.
[CODEX-AUDIT:HTML-Injection-Progress-Report (fixed)] expected: The security audit found an HTML-injection vector in the report renderer but documents it as fixed (html.escape and numeric sanitization applied). Audit evidence present in CODEX-SECURITY-AUDIT.md.
[CODEX-AUDIT:Arbitrary-Output-Path-Write-Risk (fixed)] expected: The audit previously flagged an arbitrary output path write risk in the report script; the current script normalizes basename and restricts output to reports/ (per the audit notes).
[CODEX-AUDIT:Setup-Prompt-Path-Resolution] expected: Audit flagged SETUP-PROMPT.md find usage as a medium issue (can return multiple matches). This is a correctness/hardening problem in setup instructions rather than evidence of malicious behavior; the repo's audit recommends deterministic resolution (head -1 and validation).
[CODEX-AUDIT:Permission-Policy-Mismatch] expected: Audit noted repo checkout file modes differ from recommended runtime permissions (config/tutor-config.json should be 600). This is a policy hardening note and not a secret or backdoor.
[CODEX-AUDIT:Future-Sync-Design-Risk] expected: Dashboard spec documents an /api/sync endpoint and mentions optional POSTs. The repository contains no network client code performing exfiltration now; the audit flags this as a future design-level surface to watch if/when a sync implementation is added.
Assessment
This skill appears to do what it says: local tutoring with progress tracking and an optional report renderer. Before installing: 1) Inspect and run the setup commands manually rather than blindly pasting the SETUP-PROMPT; verify the SKILL_DIR value the find command returns to avoid unintended chmod/cp actions. 2) If you won't use reports, you can ignore scripts/generate-progress-report.sh (it requires Playwright to render PNGs). 3) Keep the skill offline if you want to ensure no accidental network sync; the dashboard spec refers to future syncing but no outbound network code is present today. 4) Verify data directory permissions (data/ set to owner-only) and review data/learner-profile.json contents if minors will use the tool. 5) The SKILL.md contains explicit prompt-injection defenses — good — but always be cautious about pasting content from untrusted sources. If you need higher assurance, run the script in an isolated environment first and consider removing dashboard sync hooks until you review or implement authenticated transports.SKILL.md:28
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9720ezdcw7zsageq6ey2twrhd83zbn2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.