清华网络学堂

Security checks across malware telemetry and agentic risk

Overview

This Tsinghua Learn helper is mostly purpose-aligned, but it needs review because it stores reusable login/session data and can mark course items as read automatically during ordinary todo checks.

Install only if you trust this skill with your Tsinghua Learn account on this Windows machine. Before routine use, review or disable auto_mark_read if you want checking todos to remain read-only. Treat the stored credentials, browser profile, and session file as sensitive login material, verify important homework submissions on the official site, and use the reset flow when you no longer want local account state retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (19)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 96% confidence
Finding: The skill requires powerful capabilities—environment access, filesystem read/write, network access, and shell execution—but does not explicitly declare permissions or present a bounded trust model. That makes it harder for a platform or user to understand the real blast radius of the skill, especially because it handles credentials, browser profiles, and session tokens while also invoking installers and local scripts.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The declared description understates the actual behavior: beyond simple learning-platform automation, the skill installs dependencies and a browser, persists credentials and session material, reads broad categories of academic data, tracks submissions, and manages local files. This mismatch can defeat informed consent because a user may authorize what sounds like a narrow helper while actually granting a much broader automation and data-handling capability.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The `--reset` mode performs broad deletion/reset of local data including downloads, uploads, session state, submissions, browser profile data, credentials, and config. In an agent skill context, this is more dangerous because it provides a destructive capability beyond the core learning-task automation purpose and could be triggered accidentally or abused to cause local data loss and user lockout.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The `--verify` path can install Chromium via Playwright, giving the skill software installation capability not clearly bounded by the manifest's stated purpose. In an agent setting, unexpected package/browser installation expands system impact, may alter the host environment without explicit user consent, and could be misused as an escalation of capability.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script explicitly extracts live session identifiers and CSRF-related state from browser cookies/page state and writes them to a local JSON file. Those artifacts can allow session hijacking or replay by any local process or user that can read the file, which goes beyond merely automating credential entry and increases the blast radius of compromise.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script exposes workspace cleanup functionality alongside Learn-platform task automation, expanding its authority beyond the stated skill purpose. This increases the chance that an agent or user invokes local file-deletion behavior unexpectedly, which can cause unintended data loss even if the cleanup targets are meant to be benign.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: When auto_mark_read() is enabled, the script marks announcements and files as read automatically before the user explicitly requests that action. This silently changes remote course state, which conflicts with the advertised behavior requiring deliberate user action and can lead to unauthorized or unintended modifications in the user's academic account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation exposes destructive commands such as --reset and cleanup operations without any accompanying warning, confirmation guidance, or description of irreversible effects. In an agent-executed skill, this increases the chance of accidental data loss because an LLM or user may invoke these commands based only on the command list and not realize they delete stored state or downloaded materials.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The initialization trigger is broad enough that ordinary conversation could accidentally enter a high-risk flow that collects login credentials and begins installing dependencies or browsers. In this skill's context, mis-triggering is more dangerous because the workflow requests passwords and sets up persistent authenticated state against a real university account.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The catch-all instruction to 'just tell AI what you want' is overly permissive for a skill that can log in, submit homework, mark items read, install software, and delete local files. Overbroad triggering increases the risk of unintended sensitive actions from ambiguous user messages, especially in multilingual or conversational contexts.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: On non-Windows systems, the code claims credentials are protected but actually falls back to base64 encoding, which is reversible and provides no security. This is especially dangerous here because the skill explicitly stores a username and password for an academic portal, so compromise of the local file directly exposes reusable credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The submit_homework function uploads arbitrary local file contents to a remote server as soon as it is called, with no built-in confirmation, preview, or policy check at the point of exfiltration. In this skill’s context, the tool handles user coursework and local files, so accidental invocation, argument confusion, or misuse by a higher-level agent could cause unintended disclosure of sensitive documents to the university platform.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: mark_all_announcements_read iterates through all unread announcements and changes remote account state without any confirmation or interactive warning. While this is not code-execution or credential theft, it can silently alter academic records/workflow state and hide unread items, which is risky for an automation skill operating on a student account.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: mark_all_files_read performs a bulk remote mutation of read-status for course files with no user-facing confirmation or per-item review. In this skill context, that makes the issue more meaningful because read/unread state is part of the user’s learning workflow, and an agent could incorrectly mark materials as seen, reducing visibility into unfinished work.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The script is explicitly designed for unattended login, reuses a persistent browser profile, and automatically submits username/password without any runtime confirmation or guardrails. In the context of a university learning platform, this increases the risk of silent account actions if the host is compromised, the script is triggered unexpectedly, or the stored profile/session artifacts are abused.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The CLI accepts a password via `--password`, which can leak through shell history, process listings, audit logs, or agent telemetry. This is especially sensitive here because the skill handles real login credentials for a university platform, so exposure could directly compromise the user's account.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code silently writes sensitive session and CSRF tokens to a state file without an explicit user-facing warning or consent at the point of storage. In this skill's context, users are already asked for a password and may not realize the tool also creates reusable authentication artifacts on disk, making accidental exposure or misuse more likely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The --cleanup path directly executes cleanup(dry_run=False) without an in-script confirmation gate or warning at execution time. Because cleanup is a destructive local action, an agent or user can trigger file removal too easily, creating avoidable risk of accidental deletion within the workspace.

Credential Access

High

Category: Privilege Escalation
Content: | 数据 | 位置 | 说明 | |------|------|------| | 登录凭据 | `credentials.json` | Windows DPAPI 加密（绑定当前用户账户，仅 Windows 支持） | | 浏览器登录状态 | `profiles/learn_profile/` | Chrome Profile 含 cookies，避免每次触发 2FA | | Session 令牌 | `sessions/learn_session.json` | JSESSIONID + CSRF Token |
Confidence: 97% confidence
Finding: credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal