Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Vietnam Education
v1.0.0Skill soạn giáo án, đề thi, phiếu học tập theo chuẩn Chương trình GDPT 2018 (Thông tư 32/2018/TT-BGDĐT) và Công văn 7991/BGDĐT-GDTrH (cấu trúc đề kiểm tra đị...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binaries (python3, node), and included scripts (create-exam.js, draw-figure.py, verify-answer.py) align with the stated goal of composing lesson plans, exams and verifying answers; included helper reference files also match the educational purpose.
Instruction Scope
Runtime instructions properly require web searches for textbook/SGK verification and running the included scripts to generate .docx, draw figures, and verify calculations. Two items to note: (1) SKILL.md refers to a `validate.py` step (⑦) but no validate.py is present in the manifest — that's an inconsistency the author should fix; (2) the scripts accept and parse user-supplied expressions (sympy.parse_expr and similar) — this runs code locally and can be dangerous if untrusted input is executed without sanitization. Also the SKILL.md repeatedly instructs agents to perform web_search operations: that's expected for this task but means the agent will fetch external material during use.
Install Mechanism
There is no automated install spec in the registry; SKILL.md lists straightforward installs (npm install -g docx, pip install sympy matplotlib numpy). These are standard packages from normal package managers (npm/pip). The only minor concern is the suggested use of global npm install and pip with --break-system-packages (an uncommon flag that modifies system package boundaries) — operationally unusual but not incoherent with purpose.
Credentials
The skill requests no environment variables or credentials and requires only Python and Node — that's proportionate for document generation and local math/plotting verification. No unrelated secrets or config paths are requested.
Persistence & Privilege
Skill has default presence (always: false) and normal model invocation settings. It does not request persistent elevated privileges or modify other skills' configurations.
Assessment
This skill appears coherent for composing Vietnamese lesson plans and CV‑7991 exam papers, but check these before installing:
- Missing file: SKILL.md references a validate.py step but no validate.py is included; ask the author or verify how the output Word is validated.
- Input parsing: draw-figure.py and verify-answer.py use sympy.parse_expr / parse functions on strings. If you (or the agent) pass untrusted text into these, it can be unsafe — run in a sandbox or review/limit inputs before executing.
- Installation notes: SKILL.md recommends global npm install -g docx and pip install ... --break-system-packages. Prefer using a virtualenv (python) and avoid global npm installs if possible to reduce system impact.
- Web searches: The workflow depends on the agent performing web_search to fetch SGK/textbook content. That means data will be retrieved from the web during operation — consider privacy implications if you will be using proprietary or student data alongside the tool.
- Code review: The included JS/Python look free of network calls and external endpoints, but you should still scan the code if you plan to run it in a sensitive environment.
If you want to proceed safely: run the scripts in an isolated environment (virtualenv/container), avoid installing packages globally, confirm or obtain the missing validate.py, and review how expressions passed to sympy are constructed or sanitized.Like a lobster shell, security has layers — review code before you run it.
latestvk97ct6sa94xrbqqvj3v78xn2y183wv6r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎓 Clawdis
Binspython3, node