ClawHub

HK Student Portfolio Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local student portfolio generator, but it handles sensitive information about minors without enough privacy guidance or activation scoping.

Review this carefully before installing if you will use real student information. Use it only for the intended school-application workflow, avoid entering ID numbers, full addresses, phone numbers, or teacher contact details unless a school specifically requires them, and store or share generated Word/PDF files as sensitive documents about a minor.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to provide or store sensitive student personal data, including name, gender, school, ranking, awards, specialties, contact information, birth date, and teacher comments, but provides no privacy notice, minimization guidance, consent requirements, or handling safeguards. Because this is a student-focused skill involving minors, the absence of data-protection guidance materially increases the risk of over-collection, unauthorized disclosure, and unsafe downstream sharing in generated resumes.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes very generic education terms such as '升中', '個人檔案', 'portfolio', and '中學面試', which can match ordinary user conversations outside the intended narrow use case. Overly broad activation increases the chance the skill is invoked on unrelated requests and may start soliciting or processing sensitive student information unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented JSON schema and workflow explicitly collect highly sensitive student and family data, including identity details, contact information, birthday, school history, awards, and family background, but the skill does not present a clear privacy warning or handling guidance. This can lead users to provide minors' personal data without informed consent, minimization, or awareness of retention and sharing risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal