Curriculum Generator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real curriculum-generation helper, but it needs review because it stores conversation details locally and tells the agent to run shell-based searches with unclear privacy and control boundaries.

Review this skill before installing in environments with student, teacher, or institutional data. Avoid entering personal student data, inspect and periodically delete the memory directory, and prefer disabling or replacing shell-based search commands with a constrained search tool if possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The skill's own mandatory human-escalation policy is overridden later by instructions to continue automatically with placeholder values after timeout. That creates a policy-bypass path where unresolved safety-critical gaps can be silently converted into output, undermining the core safeguard for ambiguous or risky curriculum decisions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The file declares 'Transparency > automation speed' and forbids silent gap-filling, but later instructions require uninterrupted execution without pauses or confirmation. This contradiction increases the chance the agent will skip disclosure and human review in order to complete the workflow, weakening safety controls.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to invoke a Python script through bash_tool using topic-derived input, granting a broader execution surface than necessary for simple web search. Even if intended for convenience, shell/Python execution increases risk of command misuse, path abuse, or injection if any part of the command is influenced by untrusted content.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README advertises automatic web searches and local memory/output storage but does not clearly warn users that prompts, curriculum details, or operational context may be transmitted to external services and persisted on disk. In an educational setting, this can expose sensitive institutional or student-related information through unintended search queries or retained local artifacts.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The activation trigger 'curriculum help' is broad enough to match ordinary discussion or support requests, which can cause the skill to activate outside the user's intended scope. Over-broad triggering is dangerous here because the skill includes file generation, search, persistence, and escalation behavior that should only run under clear user intent.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The skill directs storage of conversation context and user details to local memory files without any user-facing notice, consent flow, retention policy, or data-minimization guidance. This creates a privacy risk because personally identifiable and operational information may be retained unexpectedly and reused later.

Ssd 3

Medium

Confidence: 99% confidence
Finding: The skill persistently stores full conversation context, user identity, POD details, decisions, and escalations in local files. Persistent storage broadens exposure to later unauthorized access, accidental disclosure, or secondary misuse, especially because the file structure encourages collecting more data than is strictly necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal