Back to skill

Security audit

AP Classroom Agent

Security checks across malware telemetry and agentic risk

Overview

This skill controls a logged-in AP Classroom browser to answer and submit coursework, while also saving course data and screenshots locally with limited safeguards.

Only install this if you fully accept that it can operate inside your logged-in College Board session, view and save AP Classroom content locally, choose answers, and submit quizzes or assignments. Use a separate Chrome profile, close the remote debugging port after use, inspect/delete generated JSON and PNG files, and avoid using it on graded coursework unless your school and College Board policies explicitly allow that automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script's stated behavior is limited to checking browser status, but it also persists extracted course metadata to disk in current-course.json. In a skill that attaches to an already logged-in browser session, silently writing user-associated educational data creates an undisclosed data collection and retention risk.

Intent-Code Divergence

High
Confidence
89% confidence
Finding
The comment promises the browser will remain open, but the code calls browser.close(), which may terminate the connected browser instance rather than merely disconnecting. In a skill designed to use the user's current logged-in browser, that discrepancy can cause unintended session interruption or loss of user state, which is especially risky when operating against a live personal browser.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script extracts full quiz question text and answer options from AP Classroom pages and prints them to logs. In this skill’s context, that exposes copyrighted assessment content and user activity beyond what is necessary to automate navigation/clicking, and creates a data leakage channel through console output or captured logs.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script's behavior diverges from the stated purpose of completing AP Classroom work: it connects to an already logged-in browser session, enumerates the user's AP courses, and persists that account-derived data locally. This expands access to sensitive educational account information beyond what is necessary for the declared task, which is a data-minimization and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script writes `available-courses.json` and a full-page screenshot to disk from a logged-in College Board session. Those files can expose account-derived course enrollment details and potentially additional personal or session-visible information captured in the screenshot, creating unnecessary local data exfiltration and retention risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples explicitly walk a user through opening assignments, selecting answers, and submitting quizzes on AP Classroom, which normalizes automating graded coursework. In this skill context, that is risky because submission is irreversible and the described use can facilitate academic misconduct or unintended grade impact without strong up-front warnings, gating, or limits.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly promotes automated checking, answering, and submission of AP Classroom quizzes and assignments using a logged-in browser session, but it does not warn about academic-integrity violations, unauthorized account use, or the irreversible nature of submissions. In this context, the omission is dangerous because the skill is purpose-built to take actions on a real student account and can cause policy violations or permanent submission of fraudulent work.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The release notes explicitly advertise tools for opening assignments, selecting answers, submitting quizzes, and full automation, but provide no warning that these actions can alter live coursework and trigger irreversible submissions. In the context of an AP Classroom skill that operates in the currently logged-in browser session, this increases the risk of unauthorized or accidental academic-submission actions and misuse of a student's authenticated account.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script parses page body content to infer and print the user's identity and course information from an authenticated AP Classroom session without an explicit privacy notice or consent flow. Because the skill context is an automation tool for coursework using the current logged-in browser, browser-derived student data is sensitive and this undisclosed extraction increases privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script stores extracted course information locally without clearly informing the user that authenticated browser-derived data will persist on disk. In the context of a tool that operates on a student's active AP Classroom session, even limited educational metadata can accumulate into a privacy issue or be accessed later by other local processes/users.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script automatically submits a quiz and confirms submission without an explicit user confirmation step immediately before the irreversible action. In the context of AP Classroom assessments, this can prematurely finalize academic work, cause loss of the chance to review answers, and facilitate unauthorized cheating or unintended submission under the logged-in user’s identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script saves a full-page screenshot of the submitted quiz locally without notifying the user. In this context, the screenshot may contain assessment content, scores, identifiers, or account information, creating unnecessary local retention of sensitive educational data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script saves a full-page screenshot of an authenticated AP Classroom page to disk without explicit user consent, redaction, or retention controls. Because the skill is designed to use the current logged-in browser, the screenshot may capture student data, assignment content, and other sensitive session-visible information, creating local data exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code silently saves sensitive page-derived information to local files without any user disclosure or consent flow. In the context of a skill that operates on a currently logged-in browser, undisclosed collection and storage materially increases privacy risk because users may not realize their account contents are being archived.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/openclaw/openclaw"
  },
  "dependencies": {
    "playwright": "^1.40.0"
  },
  "engines": {
    "node": ">=14.0.0"
Confidence
93% confidence
Finding
"playwright": "^1.40.0"

Known Vulnerable Dependency: playwright==1.40.0 — 1 advisory(ies): CVE-2025-59288 (Playwright downloads and installs browsers without verifying the authenticity of)

High
Category
Supply Chain
Confidence
98% confidence
Finding
playwright==1.40.0

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.