ClawHub

Xiaozhi English Vocabulary Dna

Security checks across malware telemetry and agentic risk

Overview

This vocabulary study skill is coherent and disclosed, but users should knowingly opt into its stored learning history and recurring IM reminders.

Install this if you want a vocabulary tracker that keeps study history and can send recurring IM reminders. Before enabling it, confirm which words and context are saved, which messaging channel is used, how to pause reminders, and how to delete stored vocabulary history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill mandates activation for broad categories like English vocabulary memorization, accumulation, and preview scenarios, which can cause the agent to invoke this skill even when the user did not specifically request persistent tracking or reminders. In a system with memory and reminder integrations, over-broad routing increases the chance of unintended data collection, unwanted nudging, and cross-skill actions without sufficiently precise consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger phrases are generic study expressions that are likely to appear in normal tutoring conversation, making accidental activation plausible. Because this skill is designed to persist learning data and potentially schedule IM reminders, generic triggers can convert routine educational chat into long-lived profile updates or reminder workflows without clear user intent.

Ssd 3

Medium
Confidence
90% confidence
Finding
This section directs the system to persist user-provided vocabulary items together with conversation context and source metadata across sessions. Storing contextual learning content can reveal personal interests, school materials, habits, or other sensitive educational data, and repeated reuse increases privacy risk if retention limits, minimization, and consent are not tightly enforced.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill records student answers, usage history, and performance over time into a persistent vocabulary profile, creating a behavioral learning record. While useful pedagogically, such profiling can expose memory patterns, proficiency, and habits, and becomes more sensitive when combined with reminder systems and cross-session analytics.

Ssd 3

Medium
Confidence
89% confidence
Finding
The monthly health report aggregates retained learning history, forgetting patterns, and usage behavior into a longitudinal profile. Even in an education context, such summaries can expose sensitive behavioral inferences and create unnecessary surveillance risk if generated automatically or shared beyond the immediate user interaction.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal