Skillv1.0.0

ClawScan security

Feifei Companion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 1:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's content matches a tutoring/learning-companion purpose and has no install or credential requests, but the SKILL.md contains detected unicode-control characters (prompt-injection signal) and asks the agent to collect/coordinate learning data without specifying storage or provenance — this combination is suspicious and warrants caution.
Guidance: This skill appears to be what it says (a multi-persona learning companion) and requests no installs or credentials, but exercise caution before enabling it. The SKILL.md contains detected unicode control characters — these can hide instructions that change agent behavior. Recommended steps: - Do not provide sensitive personal data (child's full name, ID numbers, school accounts, exact DOB) until you verify provenance. - Ask the publisher for a homepage, privacy policy, and data-retention details (where learning data is stored, who can access it, deletion policy). - Inspect the SKILL.md raw bytes for control characters (look for U+202A..U+202E, U+200B, etc.). Use a hex viewer or commands like `cat -v`, `xxd`, or a text editor showing hidden chars. If present, remove them or request a cleaned file. - Prefer skills with clear provenance (owner website, repo, or organization) and an explicit statement of how/where user data is stored. If you can't verify the source, avoid enabling it for accounts or conversations involving real children or sensitive information. - If you still want to test it, run it in a sandboxed environment and monitor outputs for unexpected actions or instructions, and limit its scope (no autonomous access to other tools or credentials). If you can provide the raw SKILL.md bytes or the exact control-character sequences found, I can help identify and remove them or give a more precise safety recommendation.
Findings: [unicode-control-chars] unexpected: Hidden Unicode control characters are not expected for a tutoring skill; they are a common technique to conceal prompt-injection payloads (e.g., using U+202E, U+202A, zero-width chars) that can change model parsing or hide instructions. This is a clear signal to inspect the raw file and remove/neutralize any control characters before trusting the skill.

Review Dimensions

Purpose & Capability: okName, description, and SKILL.md content consistently describe a multi-agent learning companion (tutors, module selector, learning-data hub). There are no unexpected binaries, environment variables, or installs requested that would be incoherent with a tutoring assistant.
Instruction Scope: concernThe SKILL.md is an instruction-only spec that defines agent personas, module selection, and a 'learning data hub' that implies collecting and sharing student/parent data. The file contains unicode-control-characters (prompt-injection signals) detected by the pre-scan — this could embed hidden instructions that alter agent behavior. The skill also does not declare how learning data is stored or transmitted, which is a privacy and scope concern.
Install Mechanism: okNo install spec and no code files — lowest-risk surface from an installation standpoint. Nothing is downloaded or written to disk by the skill package itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. It therefore does not request secrets or unrelated access in its manifest.
Persistence & Privilege: okalways is false and there is no indication the skill requests elevated or persistent platform privileges. Autonomous invocation is allowed by default (not flagged by itself).