Skillv3.5.1

ClawScan security

菲菲老师学习主控 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 3:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's content mostly matches an AI tutoring assistant, but there are several red flags (prompt‑injection markers, instructions to evade AIGC detection, and instructions implying autonomous 'heartbeat' behavior and coordination with external agents) that make its runtime behavior unclear and potentially risky.
Guidance: This skill appears to be an extensive instruction-only AI tutor, but you should be cautious before enabling it. Specific things to check or ask the author before installing: 1) Why are there invisible/unicode control characters in SKILL.md? Ask for a clean copy and an explanation. 2) What does '降低AIGC识别率' mean in practice? That functionality can be used to evade content‑detection systems — request it be removed or explained. 3) How are the 'heartbeat' proactive tasks implemented and scheduled? Confirm whether the skill will act only when you invoke it and how to disable recurring reminders. 4) How and where student profiles/reports are stored and who can access them? Ensure proper consent and encryption. 5) How does the skill integrate with the external agents/platforms it mentions? Request explicit details on APIs, endpoints, and required credentials. If the author cannot provide clear, auditable answers (and a SKILL.md without hidden control characters), treat the skill as untrusted and avoid providing real student data or granting it persistent/autonomous execution. If you must try it, run it in a sandboxed environment and do not submit personally identifiable information.
Findings: [unicode-control-chars] unexpected: The SKILL.md contains unicode control characters/patterns flagged by the scanner. This is not expected for a benign teaching assistant and can be used to hide or manipulate prompts/instructions. Treat as suspicious and inspect the raw text for invisible characters or hidden directives.

Review Dimensions

Purpose & Capability: noteName/description and the instruction documents consistently describe an AI tutor / knowledge‑network assistant; no binaries or credentials are declared, which is broadly consistent. However, the SKILL.md repeatedly references dispatching work to external agents/platforms (e.g., 文心一言/DeepSeek/豆包/小龙虾 and named '浩云学长/小菲学姐') without declaring any required credentials or APIs — that mismatch is noteworthy (it may be benign if these are conceptual placeholders or built‑in connectors, but it is unexplained).
Instruction Scope: concernThe instructions include 'heartbeat' / proactive behaviors (wake‑ups, automatic task issuance, automatic verification and loops) which ask the agent to act proactively rather than only on explicit user commands. The SKILL.md also includes an add‑on that explicitly promises to '降低AIGC识别率' (reduce AIGC detection) which is an evasion capability and out of scope for an educational tutor. Additionally, a pre‑scan flagged unicode control characters inside SKILL.md (possible prompt‑injection/obfuscation). Together these indicate the runtime instructions may try to influence model behavior beyond normal tutoring tasks.
Install Mechanism: okInstruction‑only skill with no install spec and no code files — lowest install risk. Nothing will be downloaded or written by an install step.
Credentials: noteThe skill declares no environment variables or external credentials (proportionate), but the content expects handling of student profiles and personal data (student JSON templates, learning histories, reports). That implies privacy considerations: the skill does not request cloud/API keys explicitly though it references external agent platforms — the lack of declared credentials for these integrations is unexplained.
Persistence & Privilege: concernalways:false and no install means the skill cannot forcibly persist on disk, but SKILL.md explicitly asks for 'heartbeat' / proactive recurring behavior and agent coordination. If the platform permits autonomous invocation or background scheduling, this could allow the skill to act repeatedly without frequent user prompts. Combined with the prompt‑injection and evasion content, this increases the risk surface.