ClawHub
Back to skill

Security audit

基于输入知识图谱个性生成节点学习内容

Security checks across malware telemetry and agentic risk

Overview

This skill is not overtly destructive, but it overstates topic-specific, authoritative content generation while the code mostly emits fixed blockchain material and includes under-disclosed external lookups.

Install only if you are comfortable treating the output as a rough draft requiring manual verification. Do not rely on it for domain-general or authoritative curriculum generation without checking every cited source, and avoid using the RAG enhancer with confidential course, project, or learner topics unless external Wikipedia/arXiv queries are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates operational capabilities involving file reads and writes, but no permissions are explicitly declared. This creates a transparency and policy-enforcement gap: the runtime or reviewer cannot accurately constrain what the skill may access or modify, increasing the risk of unintended file access, overwrites, or data exposure. In a content-generation skill, these capabilities may be operationally reasonable, but undeclared access is still unsafe because it prevents informed consent and least-privilege enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared skill purpose is limited to generating learning content from a knowledge graph, but the analyzed behavior reportedly extends to external network access, real-time RAG retrieval, citation generation, validation workflows, and audio/TTS-related outputs. This mismatch is dangerous because it hides materially different trust assumptions: network access can exfiltrate user data or fetch untrusted content, while undeclared auxiliary features broaden the attack surface beyond what a caller expects. In an educational content skill, such hidden capabilities are more risky because users are likely to supply proprietary course material or internal learning plans under the assumption of local processing.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The generator claims to produce personalized learning content from arbitrary knowledge-graph nodes, but the main text generation logic is effectively a hard-coded blockchain template that only interpolates the node name in a few places. In a learning-content skill, this is dangerous because it can silently generate authoritative-looking but materially incorrect content for unrelated topics, causing misinformation, trust abuse, and downstream educational or policy errors.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The implementation hardcodes a 25-minute structure and always assembles 5 quiz questions despite the skill contract promising variable 3000~5000字 output and 3~5 questions per node. This mismatch is dangerous because calling systems may rely on the declared behavior for curriculum planning, evaluation, or quota enforcement, and receive nonconforming outputs without warning.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The file-level description says content is generated from knowledge-graph nodes, but the implementation uses node data only superficially while emitting generic blockchain-specific material. In this skill context, that makes the issue more dangerous because the output is framed as authoritative educational content, increasing the likelihood that users trust fabricated topic alignment and inaccurate citations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata says it generates personalized learning content, but this module also performs live retrieval from external services and merges that data into outputs. This expands the skill's behavior beyond its declared scope, creating a transparency and trust problem because users and operators may not realize topics are being sent off-platform and that outputs depend on dynamic third-party content.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code generates a validation report and labels content with 'authoritative' confidence, but this verification capability is not declared in the skill description. Undisclosed fact-checking or validation claims can mislead downstream users into overtrusting heuristic assessments, especially when the underlying confidence logic is simplistic and not equivalent to rigorous verification.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill enforces a specific locale/compliance policy context ('国内合规', prioritizing national standards and official domestic sources) without indicating user choice or configurability. While not inherently malicious, this can silently bias outputs, exclude relevant sources, and create governance issues when the user expects neutral or global content generation. In a learning-content generator, this matters because source selection directly shapes educational accuracy and completeness.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The documentation hard-codes a China-only sourcing policy and bans unverified foreign-language sources without any user locale or language preference mechanism. This can systematically bias outputs, suppress relevant authoritative non-Chinese materials, and create unsafe or misleading educational content when the topic requires international standards or broader technical references.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
User-provided topics are sent to external services for retrieval without any visible disclosure, consent flow, or privacy control. Even if the topic seems harmless, it may contain sensitive educational interests, proprietary subject names, internal project terms, or personal data, which would then be exposed to third parties.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Hard-coding Chinese Wikipedia as the default source without user opt-in can create privacy, compliance, and content-governance issues, especially for users expecting a different locale or stricter jurisdictional handling. In this learning-content context it is not an exploit primitive by itself, but it increases the risk of undisclosed cross-border data use and inappropriate content sourcing.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.