Security audit

Generate Private K-12 School Client Education Handout

Security checks across malware telemetry and agentic risk

Overview

This skill is educational in stated purpose, but it asks the agent to approve broad OpenClaw device permissions and spawn a subagent in a way that is too powerful for simple class-progress tracking.

Review this carefully before installing. Use it only if you intentionally want an agent to create OpenClaw subagents, and do not run approval commands like openclaw devices approve --latest unless you have inspected the exact pending request and are comfortable granting the listed operator and secrets-related permissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill’s trigger and usage description are vague and broadly scoped, which can cause the agent to invoke this skill in situations beyond its intended purpose. Overly underspecified activation criteria increase the risk of misapplication, generation of inappropriate client-facing content, or accidental use with sensitive educational or enrollment contexts without sufficient guardrails.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal