ClawHub

Xiaozhi Teach Chinese Writing Guide

Security checks across malware telemetry and agentic risk

Overview

This is a teacher-facing Chinese writing instruction guide with privacy-sensitive student-record templates, but no executable code or hidden behavior.

Install only if you are comfortable using it for teacher-managed student writing workflows. Keep student names out of prompts and shared documents, use pseudonyms, store writing samples only in approved systems, get required parent or school consent before archiving or sharing examples, and define deletion/retention rules for style records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill declares that it 'must activate' on several broad, common teacher utterances without defining exclusion conditions. This can cause overbroad routing and unintended invocation during ordinary classroom-assistance conversations, which may override user intent, produce irrelevant outputs, or chain into downstream skills and data interfaces unnecessarily.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples in the '触发时机' section are generic phrases that overlap with normal educational dialogue. Because no scope guardrails or disambiguation are provided, the skill may capture unrelated requests and steer the system into this workflow inappropriately, increasing the chance of prompt-routing errors and unnecessary handling of student-related data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template instructs teachers to keep student writing archives, interview records, and timeline data, but provides no privacy, consent, retention, or access-control guidance. In an educational context involving minors, this can lead to unnecessary collection, over-retention, re-identification from linked records, and unauthorized disclosure of sensitive student information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal