ClawHub

Xuexitong Homework Submit

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Chaoxing homework automation, but it handles a live account cookie and can send that cookie and answer images over plain HTTP.

Install only if you intentionally want this skill to use your Chaoxing session cookie and write homework drafts or submissions. Prefer draft-save first, review in Chaoxing before using --confirm, keep the cookie file private with restrictive permissions, and avoid the handwritten upload pipeline on untrusted networks unless you accept that cookies and answer images may be exposed over plaintext HTTP.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill performs authenticated requests using a local cookie file and uploads generated answer images to external Chaoxing endpoints, but the documentation lacks a clear privacy and data-transmission warning. Users may not realize that homework content, answers, identifiers, and session-derived data are sent to third-party services, which can expose educational records or enable account misuse if cookies are mishandled.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code uploads handwritten answer images to notice.chaoxing.com over plain HTTP, which exposes sensitive homework content and session context to interception or modification by any on-path attacker. In this skill, the uploaded files are the user's actual answers, so the context makes the confidentiality and integrity risk materially worse.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script performs authenticated requests using a persisted Chaoxing cookie file without any explicit user-facing notice, confirmation, or scope disclosure at the point of use. In the context of an automation skill that scans homework state, this can silently access a student's account data and trigger privacy or account-misuse concerns if the operator is unaware which account/session is being used.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script reads a live authentication cookie from a local file and reuses it for authenticated requests to the homework platform. While this is core to the tool’s purpose, it creates real credential-handling risk: plaintext session tokens on disk can be stolen by other local processes, accidentally committed, or reused to impersonate the user without re-authentication.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal