ClawHub
Back to skill

Security audit

学习DNA档案

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed learning-memory profile, but it stores sensitive student learning and emotion data and some reference instructions allow automatic updates from ordinary conversation without restating the consent gate.

Install only if you are comfortable with a student learning profile that can persist academic, behavioral, interest, and emotion-related observations across sessions. Before use, confirm that OpenClaw enforces explicit profile opt-in, separate emotion-tracking consent, easy view/edit/delete/pause controls, and separate consent for reminders or sharing with other skills. Do not rely on the reference templates as-is for automatic updates without adding an active consent check and confirmation boundary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The template explicitly directs automatic persistent DNA/profile updates from ordinary student utterances such as 'I understand' or 'I have an exam this week.' That conflicts with the stated privacy boundary that cross-session memory should activate only after explicit opt-in or explicit profile-management requests, creating unauthorized retention and downstream sharing/reminder behavior for minors' educational data.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file presents itself as a first-time profile creation guide, but later includes instructions for automatic ongoing DNA updates from normal conversation. This mismatch can cause implementers to believe they are operating within consent boundaries while actually expanding collection beyond the user's explicit authorization.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document explicitly tells the agent to proactively announce and record milestones into persistent '学习DNA' growth history whenever conditions are met. That conflicts with the stated consent-gated model, where cross-session profiling should only occur after explicit user or guardian opt-in; otherwise ordinary tutoring interactions could silently become long-term behavioral tracking.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
These habit milestones require passive monitoring of conversational behaviors such as saying '让我先想想', admitting confusion, or asking follow-up questions, then counting occurrences over time. In an education context involving minors, this creates behavioral profiling from normal chat activity and exceeds the manifest's default rule that memory should not be built unless the student or guardian has clearly enabled it.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The guidance says that when a student asks broadly 'how much progress have I made,' the agent should proactively retrieve all recorded milestones. That broad trigger can expose stored profile data outside explicit profile-management requests, increasing the chance of unexpected disclosure of historical learning records.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The schema introduces consent fields for cross-skill sharing and IM reminders, which expand the system from a narrowly scoped long-term learning profile into broader data sharing and outreach behavior. Even if gated by booleans, defining these capabilities at the schema level increases the likelihood that personal student data could be reused beyond the immediate tutoring context, especially for minors.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This section enables persistent emotional, motivational, and anxiety-related profiling inferred from conversation signals, which is substantially more sensitive than ordinary learning-memory data. In a student-facing skill, especially one that may process children’s data, such inference can create lasting sensitive profiles that affect trust, privacy, and downstream decision-making.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The schema supports tracking anxiety triggers, mood baselines, motivation, and effective interventions without a clear necessity tied to the core function of a learning memory engine. Because these are inferred over time from behavioral signals rather than directly supplied facts, the skill creates a sensitive longitudinal profile that can be inaccurate, stigmatizing, or over-collected.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The schema text attempts to downplay the nature of the data by saying it is 'not a psychological profile,' but the actual fields implement repeated emotional-state, trigger, and motivation tracking over time. This mismatch is dangerous because it can mislead reviewers and users about the sensitivity of the collected data and weaken informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The example profile models a very broad, persistent student dossier that includes behavioral patterns, emotional state, anxiety triggers, motivation, interests, and cross-skill sharing flags. Even as an example file, this normalizes collection and retention far beyond 'minimal, consent-gated memory' and can drive downstream implementations to store sensitive student profiling data, including potentially mental-health-adjacent inferences, creating privacy, compliance, and misuse risks.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad phrases such as interest exploration or continuing prior tutoring that could be interpreted as consent to activate persistent memory, even when the user did not explicitly intend to enable cross-session profiling. In a student-profile skill handling minors' educational and emotion-related data, ambiguous activation materially increases the risk of unauthorized collection, reading, or sharing of persistent personal data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad, common conversational statements that can easily occur during normal tutoring, making unintended profile updates likely. In a student-memory system, especially one handling minors, ambiguous triggers increase the chance of silently storing inaccurate or undesired long-term data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The content describes persistent profiling, milestone tracking, and cross-skill actions like reminders and error-book pushes, but the cited section does not require a contemporaneous user warning or consent notice before those data flows occur. That is risky because users may not understand that ordinary statements are being retained and propagated beyond the immediate tutoring exchange.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal