ClawHub
Back to skill

Security audit

费曼学习法

Security checks across malware telemetry and agentic risk

Overview

This is a Markdown-only tutoring skill that tests understanding and records learning progress, with privacy and routing caveats but no hidden or malicious behavior found.

Install this if you want a structured tutoring mode that quizzes students and tracks their understanding over time. Before using it with children or classroom data, confirm that users know assessment results may be saved to a learning profile and that there is a way to review, correct, or delete those records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill says it 'must' activate when users express broad study-related intents like wanting to test understanding. This creates overbroad invocation behavior that can unexpectedly steer conversations into this skill without clear user consent, increasing the chance of inappropriate activation and behavior override in adjacent contexts.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger table includes broad scenarios such as post-learning self-check, exam review, and AI-answer follow-up without precise invocation constraints. In a multi-skill system, ambiguous triggers can cause this skill to capture conversations too aggressively, resulting in misrouting, policy conflicts, or unrequested pedagogical probing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill requires writing understanding-depth results back to 'DNA' persistent state after each test, but it does not mention user notice, consent, retention limits, or data minimization. Because this is an education skill likely handling children or minors, silent persistence of learning-performance data materially increases privacy and profiling risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.