ClawHub

菲菲老师学习主控

Security checks across malware telemetry and agentic risk

Overview

This education assistant is mostly coherent, but it deserves review because it handles sensitive child and family data, describes automatic reminders and cloud syncing, and lacks clear consent and safety boundaries.

Review carefully before using this with a child. Use it only with parent/guardian and student awareness, avoid entering real names, school names, exact schedules, or unnecessary family details, limit or disable reminders unless wanted, do not rely on it for mental-health assessment or crisis support, and avoid the AIGC-detection-evasion polishing feature for academic or professional submissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises proactive monitoring of learning progress, report generation, and parent communication without disclosing what student data is collected, how it is stored, who can access it, or whether consent is required. In an education/family context involving minors, this creates meaningful privacy and expectation risks because users may enable sensitive tracking and sharing without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The 'heartbeat service' describes proactive reminders, task pushing, completion checks, and recurring outreach, but does not warn users that the agent may initiate autonomous notifications or follow-up behavior. That omission can mislead users about the agent's level of autonomy and create privacy, consent, and harassment-style risks if reminders are persistent or sent to family members.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill offers '心理陪伴/ Psychological Support' and emotion-guidance for children but does not warn users that it is not a licensed mental-health provider or a substitute for professional evaluation. In a family/child setting, users may over-rely on the agent for distress, behavioral, or crisis situations, delaying appropriate clinical or emergency care.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes tracking detailed student mastery, emotional context, parent-child conflict, and generating reports for parents without any privacy notice or minimization guidance. Because the data concerns children and family dynamics, misuse or over-collection could expose sensitive personal information and create heightened privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly defines automatic local writes, daily cloud sync, and retention of historical versions for student profile data, but provides no consent flow, notice, access controls, minimization limits, or safeguards for minors' educational data. In a family/child learning assistant context, this is sensitive personal data processing, and undocumented persistence and remote transmission materially increase privacy, compliance, and breach risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal