ClawHub

Exam Generator

Security checks across malware telemetry and agentic risk

Overview

This exam-paper generator is an instruction-only drafting aid with disclosed web-search use and no evidence of hidden code, credential access, persistence, or destructive behavior.

Install only if you are comfortable with the agent using web search while drafting exams. Do not include student personal information, confidential school materials, or unpublished exam content unless you are prepared for relevant parts to be used as search queries, and manually review all generated questions and answers before classroom use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to match ordinary education requests such as '生成一份试卷' or '出一套数学题', which can cause the skill to activate unexpectedly in contexts where the user did not intend external search, file generation, or this specific workflow. Over-broad routing increases the chance of misfires, privacy surprises, and unintended tool use, especially in general-purpose assistants handling students' or teachers' data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it automatically uses web search for knowledge validation but does not clearly warn users that portions of their request may be sent to an external search capability. This creates a privacy and consent issue: teacher prompts may include student information, unpublished exam content, or internal school materials that could be disclosed outside the immediate assistant context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal