ClawHub

Feifei Companion

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only tutoring skill, but it asks to build long-term profiles and parent-facing reports about children without clear consent or retention limits.

Review this carefully before installing for any real child or classroom use. Use it only if memory, parent sharing, report generation, deletion, and retention settings are explicit and under your control; avoid entering sensitive family, mental-health, school-account, or identity details. Do not use the writing-polish feature to evade AI-detection or authorship rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly advertises a capability to 'reduce AIGC detectability,' which is unrelated to tutoring and can facilitate academic dishonesty or evasion of authorship detection. In a K12 context, this is especially risky because it encourages misuse by minors and undermines institutional integrity controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes updating learning reports and notifying parents automatically, but does not clearly state when data will be shared, what data is included, or how consent is obtained. Because the users are students, potentially minors, silent sharing with parents increases privacy and trust risks and may expose sensitive educational or emotional information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that each interaction automatically updates a detailed student profile, including learning style and other personal dimensions, without an explicit privacy warning or data minimization boundary. Continuous profiling of children creates significant privacy risk, especially if users are unaware of the collection, retention, or downstream use of that data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Recording 'every step' of a student's growth into a long-term portfolio implies broad, persistent retention of educational and behavioral data without a clear warning about retention period, sensitivity, or access. For minors, long-term accumulation of this data can create disproportionate privacy harm if exposed, misused, or shared too broadly.

Ssd 3

Medium
Confidence
94% confidence
Finding
Persistent profiling combined with automatic reuse of prior interactions creates a natural-language memory store containing sensitive student information over time. In this K12 setting, that raises the risk of cross-session leakage, over-collection, and disclosure of emotional, academic, or family details beyond the user's expectations.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill instructs the creation of comprehensive student profiles spanning cognition, emotions, habits, interests, and goals. This is sensitive profiling of minors and can enable intrusive inference, inappropriate personalization, or harmful disclosure if not tightly governed by consent, minimization, and access controls.

Ssd 3

Medium
Confidence
97% confidence
Finding
The long-term growth portfolio and milestone tracking semantically direct extensive retention of student performance, habits, emotional trends, and achievements across time. In a child-focused education product, such accumulation materially increases the blast radius of any leak or misuse and may exceed reasonable expectations for tutoring support.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal