ClawHub

Ofek Galim

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its stated school-task purpose, but it handles children's credentials and can write homework details to Google Calendar with limited runtime guardrails.

Install only if you are authorized to access the children's school accounts and are comfortable storing those credentials locally. Use a dedicated, restricted calendar and run calendar sync with --dry-run first; avoid the default primary calendar unless intended. Review the external Webtop helper dependency before using combined reports, and enable any WhatsApp or daily automation only after confirming exactly what data is sent and to whom.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs the agent to source local environment files containing credentials and to construct child account JSON from username/password variables. That gives the skill direct secret-handling capability and broad access to sensitive accounts, which exceeds a narrow read-only summarization flow unless strongly constrained. In this context the capability is plausibly functional rather than malicious, but it increases risk of credential exposure, misuse, or accidental disclosure in logs and command output.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description is primarily about checking, monitoring, and summarizing homework/tasks, but the documentation also promotes a sync command that creates or updates calendar events. That introduces a write-capable side effect against an external system, expanding the skill from read-only inspection into modification of user data. Even if intended as a convenience feature, this mismatch makes accidental or unauthorized changes more likely.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The automation section expands the skill from passive monitoring into active integrations that create calendar events and distribute updates through WhatsApp. When these behaviors are not clearly aligned with the manifest, users may unknowingly enable ongoing external sharing and data propagation involving children's school information.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
WhatsApp messaging introduces external transmission of student homework and status information to a group target, which is materially different from merely inspecting tasks. Without explicit justification, boundaries, and consent language, this creates privacy and unintended disclosure risk, especially in a family or group-chat setting.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Calendar synchronization writes derived student task data into another system, broadening the skill from observation to modification of external resources. This is risky because due dates, titles, and reminders may expose personal educational information and create persistent artifacts outside the original portals.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script loads children's portal usernames and passwords from local .env files and from an environment-variable-selected override path, then uses them for automated login. In an agent-skill context, this is a real credential-access capability and expands the trust boundary, especially because the override path can redirect the script to other local files containing secrets.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than inspect or summarize school tasks: it creates Google Calendar events in an external calendar, which is a side effect involving third-party data transfer and account modification. In the context of a skill described primarily as checking and summarizing student homework, this expands capability beyond user expectations and can expose children's task metadata to an external service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code loads a service account credential file and requests full calendar write scope, giving broad ability to create or modify calendar data. For a task-inspection skill, this is over-privileged and increases the blast radius if the skill is misused, misconfigured, or the credential file is exposed, especially because it processes child-related data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt instructs the agent to run a calendar sync command that can change external state, but it does not require explicit user confirmation or clearly warn that data may be created or modified. In an automation-oriented skill that operates on school tasks and alerts, this increases the chance of unintended writes to calendars or linked systems through routine use.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file tells the agent to load credential env files and use commands that may access school systems and calendar integrations, but it does not warn that these operations involve sensitive credentials and can read, transmit, or modify external account data. Missing safety qualifiers and consent boundaries are dangerous because they make high-impact actions appear routine and low-risk. In an agent setting, that can lead to overbroad execution without adequate user awareness.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation language is broad enough to match many ordinary school-related requests, which can cause the skill to be selected in situations where the user did not intend portal access, credential use, or automated notifications. In a skill handling student accounts and external integrations, over-triggering raises the chance of unnecessary access to sensitive data and unintended side effects.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes storage and handling of student IDs and passwords but does not include strong privacy, retention, and access warnings. Because these are education account credentials for children and can be reused across portals, poor handling or casual automation materially increases the risk of account compromise and exposure of minors' data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The automation section normalizes recurring external actions—calendar creation and WhatsApp updates—without clearly warning that data will be shared outside the source systems on an ongoing schedule. In the context of children's school information, silent recurring automation increases privacy risk, mistaken dissemination, and persistence of sensitive details in third-party services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to store student IDs and passwords in a plaintext .env file under a fixed path, and it provides a credential schema for multiple children. Even though this is an example file, it normalizes insecure handling of sensitive student credentials without any warning about file permissions, secret management, or risks of credential leakage through backups, logs, or repository commits.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code silently reads stored child account credentials without any in-code disclosure, confirmation, or consent checkpoint. Because the data belongs to minors and grants access to educational records, undisclosed secret use increases privacy and misuse risk even if the intended purpose is legitimate.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script performs automated login and retrieval of student data from an external site with no user-visible notice at execution time that credentials and student information will be sent over the network. In a skill environment, silent external transmission of child-related data is privacy-sensitive and can surprise users or operators.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer creates a persistent env file containing placeholders for student account usernames, passwords, a WhatsApp group ID, and a service-account path, but it does not explicitly warn the operator that this file will hold sensitive credentials. In this skill context, the data relates to children and school systems, so encouraging plaintext secret storage without clear handling guidance increases the chance of accidental disclosure through backups, syncing, shell history, or misconfigured file sharing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script accesses a service-account credential file silently, without any user-facing disclosure that privileged Google credentials are being used. In a user-facing automation context, undisclosed use of privileged credentials reduces transparency and can cause users to unknowingly authorize sensitive operations under a high-privilege identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends child names and homework/task details to Google Calendar without any visible consent or disclosure in the code path. Because this is student-related data, undisclosed export to an external service raises privacy and compliance concerns and is more sensitive than ordinary calendar automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal