天天老师助手
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If later instructions or hidden portions caused shell commands to run, they could affect the local environment; the visible excerpt does not show such commands being executed.
The embedded JavaScript imports shell execution support. No actual shell command is shown in the provided artifact, so this is not evidence of misuse, but it is a capability users should notice.
const { exec } = require('child_process'); ... const execAsync = util.promisify(exec);Use the skill only for its grading workflow and review any proposed command execution before approving it.
A mistaken or inappropriate path could copy non-homework local files into the grading workspace.
The upload helper copies a supplied local file path into the skill workspace. This is purpose-aligned for homework uploads, but the visible code does not restrict the source path to a dedicated upload directory.
if (typeof file === 'string') { originalPath = file; ... } ... fs.copyFileSync(originalPath, destPath);Provide only intended homework files to the skill and avoid passing arbitrary local paths.
The skill may be able to use Tencent account privileges or incur service usage under the provided keys.
The skill requires Tencent cloud secret credentials and web access. This is plausibly related to OCR or cloud processing for homework images, and there is no visible evidence of credential leakage or unrelated use.
"requires": { "env": ["TENCENT_SECRET_ID", "TENCENT_SECRET_KEY"], "config": ["web.enabled"] }Use a dedicated, least-privilege Tencent credential, monitor usage, and rotate/revoke it if no longer needed.
Student names, homework details, grading notes, or other classroom data may persist locally and be reused in later interactions.
The skill uses persistent session state and appends entries to a local memory file. This is coherent for grading history and statistics, but it can retain student-related information across tasks.
"session": { "persist": true, "timeout": 7200 } ... memoryFile: path.join(WORKSPACE, 'memory/MEMORY.md') ... fs.appendFileSync(PATHS.memoryFile, content);Avoid storing unnecessary personal data, periodically review or clear the workspace memory, and treat stored homework/roster data as sensitive.