Security audit

Edupath

Security checks across malware telemetry and agentic risk

Overview

Edupath is a prompt-only education planning skill that uses live Baidu and internal school-data lookups, with no executable code, credential access, or persistence.

Install if you are comfortable with a skill making many live web and internal database lookups to produce education reports. Use only the minimum necessary input, preferably just the undergraduate major, and avoid adding private student details unless you know which services will receive them. Verify admissions, salary, and employment claims against the cited official sources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill requires sending user-derived query context to external search services and internal MCP APIs, but it never discloses that the user's input may be transmitted to Baidu or internal data systems. Even if the input is only a major name, users may include sensitive educational or personal context in follow-up prompts, creating an undisclosed data-sharing/privacy risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal