Pilot Ai Tutoring System Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is for creating an educational progress-tracking subagent, but it asks users to approve broad OpenClaw device permissions that are not clearly limited to that purpose.

Review this carefully before installing. Only approve a specific, understood permission request, not a generic latest request, and avoid granting admin, pairing, approvals, or secrets access unless you can justify each permission. Do not use real student identifiers or sensitive education records unless you have consent and a clear retention/deletion plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly routes learner responses, progress, grades, and assessment history between multiple agents, but the description does not warn users that educational performance data is being transmitted and retained. This creates a real privacy and informed-consent issue because operators may deploy it without understanding the sensitivity and persistence of student data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal