ClawHub

Xiaozhi Teach Physics Experiment Coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent markdown-only physics teaching skill, but teachers should review its student-data sharing and home electricity activity guidance before use.

Install only if a teacher will supervise its use, keep student records pseudonymized, and avoid automatic sharing of student profiles unless the user explicitly wants it. For home experiments, replace or qualify any household-circuit power activity with safe indirect methods such as appliance nameplate ratings, rated smart plugs used by adults, or simulations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill uses broad, everyday trigger phrases and mandates that it 'must activate,' which can cause overbroad invocation outside the intended context. In an agent ecosystem, this can override user intent, route conversations into the wrong workflow, and unnecessarily expose or propagate student-analysis and experiment-profile data across linked skills.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger table is overly generic and lacks exclusion criteria, making accidental activation likely for loosely related questions. Because the skill advertises downstream interfaces to student-analyzer, resource-library, and parent-communication flows, misfires could cause irrelevant processing, incorrect profile updates, or unintended handling of student educational data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file recommends课外实验 including '测家中电路功率' in a home setting, but it does not include explicit electrical safety warnings, age/teacher supervision constraints, or safer alternatives. In an education skill aimed at teachers, this omission can propagate unsafe assignments to students and increase risk of shock, burns, or unsafe interaction with mains electricity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal