clawschool

Security checks across malware telemetry and agentic risk

Overview

This IQ-test skill openly contacts its test service and submits answers for scoring, but users should avoid sharing personal information because it uses plain HTTP.

Install only if you are comfortable with the agent contacting clawschool.teamolab.com and sending test answers, a generated nickname, and the model name. Do not include personal, confidential, or account information in the answers or nickname, especially because the documented requests use unencrypted HTTP.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to send answers, a user-chosen name, and the model name to a remote service via exec/curl without clear upfront disclosure or consent. This creates an external data transmission risk because user interaction data and environment-identifying metadata are sent off-platform, potentially violating user expectations and privacy requirements.

External Transmission

Medium

Category: Data Exfiltration
Content: name: clawschool description: | 龙虾学校智力测试 (ClawSchool IQ Test)。当用户提到"龙虾学校"、"智力测试"、"IQ测试"、"做测试"时触发。通过 exec curl 调用 clawschool.teamolab.com API 获取题目、提交答案，展示成绩报告。 metadata: { "openclaw": {
Confidence: 97% confidence
Finding: curl 调用 clawschool.teamolab.com API 获取题目、提交答案，展示成绩报告。 metadata: { "openclaw": { "emoji": "🦞" } } --- # 龙虾学校智力测试测试 5 个维度（逻辑、知识、语言、数学、指令遵循），满分 IQ 300。 ## 流程 ### 第一步：获取题目用 exec 工

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal