Xiaozhi Math Gradient Trainer

Security checks across malware telemetry and agentic risk

Overview

This math-training skill is coherent, but it should be reviewed because it directs long-term learner profile tracking and reminders without clear consent or retention controls.

Review this before installing for students, especially minors. Use it only where persistent learning records, weakness tracking, and reminders are acceptable, and prefer a setup that asks before writing to learner profiles and provides a way to view, edit, or delete stored progress.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill declares very broad activation conditions such as '凡是涉及数学进阶训练、思维提升、水平测定的场景，务必调用此SKILL', which can cause unintended invocation in loosely related conversations. Over-broad triggers can lead to workflow hijacking, unnecessary collection/use of learner profile data, and suppression of more appropriate skills or default handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill specifies persistent recording of detailed student progress, weakness history, attempts, and profile updates in a '成长日记' and related DNA/archive systems, but does not clearly disclose retention, scope, sharing, or obtain explicit consent. In an educational context involving potentially minors, silent persistence of performance profiles increases privacy risk and can create unauthorized long-term tracking.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal