ClawHub

Quick Learn

Security checks across malware telemetry and agentic risk

Overview

Quick Learn is a legitimate learning-coach skill, but it saves local study history and can schedule reminders, so users should understand that persistence before installing.

Install only if you are comfortable with local learning-data files, saved explanations, weak points, mood/progress notes, and scheduled study reminders. Avoid sensitive personal topics, and use the pause, abandon, or cron deletion controls when you no longer want reminders or ongoing tracking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The Mode A trigger phrases are broad enough to catch ordinary conversational requests like 'help me learn X' or 'quick start X', which can cause the skill to activate persistent workflows, searches, file creation, and cron scheduling without clear intent from the user. This is risky because a low-friction phrase can escalate into ongoing data collection and automated actions.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Mode B triggers such as 'explain this article', 'read this book', and 'summarize this link' are common requests that may unintentionally invoke persistent storage under `learning-data/quick-{slug}` and follow-up Feynman workflows. The danger is contextual overreach: a user asking for a one-off summary may unknowingly trigger retention and extended interaction state.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill directs persistent logging of user restatements, weak points, study duration, mood, exhaustion, and quitting signals into local files and reports, but it does not define minimization, retention, deletion, or consent controls. This creates a behavioral profile of the user that can expose sensitive cognitive and emotional data, and the risk is amplified by weekly reports, progress analytics, and multi-day accumulation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal