Back to skill

Security audit

SJTU Canvas 课程助手

Security checks across malware telemetry and agentic risk

Overview

This Canvas helper is purpose-aligned but needs review because it can access private course data and perform calendar or submission actions without enough safeguards.

Review before installing. Use a least-privilege Canvas token if possible, keep config values simple, avoid running calendar sync on untrusted course or assignment names, and do not use assignment submission until the syntax error and confirmation, file-scope, and destination-validation gaps are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end if
end tell
'''
    r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)
    return r.returncode == 0

def create_event(summary, due_dt, description=""):
Confidence
98% confidence
Finding
r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
end tell
'''
    r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)
    return r.returncode == 0

def list_existing_events():
Confidence
99% confidence
Finding
r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
end tell
'''
    r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)
    if r.returncode == 0:
        return [s.strip() for s in r.stdout.strip().split(",")]
    return []
Confidence
96% confidence
Finding
r = subprocess.run(["osascript", "-e", script], capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly describes capabilities that read and write local files, access the network, and invoke shell commands, yet it declares no permissions or trust boundaries. This creates a real security issue because an agent or user may authorize the skill without understanding that it can download files, read course data, sync calendars, and submit assignments to external systems.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises one-click/direct assignment submission but does not clearly warn that this operation writes to a live Canvas instance and can irreversibly modify submission state, timestamps, or uploaded artifacts. In an agent-driven workflow, users may invoke this capability conversationally without realizing it is a state-changing remote action, increasing the risk of accidental submissions or overwriting intended work.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The README promotes syncing DDLs into Apple Calendar/iCloud without warning that this writes events into the user's personal calendar ecosystem and may propagate across devices automatically. This can expose course metadata, create integrity issues from incorrect or duplicate events, and surprise users who assume the feature is read-only.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad, high-frequency terms such as '课程', '作业', 'DDL', '成绩', and English words like 'course' and 'assignment', which can cause the skill to activate in unrelated conversations. In a skill that can read academic records, download files, sync calendars, and submit assignments, over-broad triggering increases the chance of accidental invocation and unintended access or side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises sensitive operations including reading grades, downloading course materials, writing calendar events, and submitting assignments, but it lacks a centralized, prominent risk notice describing data exposure and external side effects. Users may not realize that using the skill involves API tokens, access to academic information, local file writes, and actions against external services.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script creates calendars and calendar events automatically without an explicit confirmation step immediately before modifying the user's local calendar. In an agent-skill context, this is more dangerous because a user may ask to inspect deadlines and the skill can silently perform persistent side effects on the host system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function uploads arbitrary local files to remote URLs and then submits them as coursework without any built-in confirmation, path restrictions, or destination validation. In an agent context, that increases the chance of unintended exfiltration of local files or irreversible submission actions, especially because upload_info["upload_url"] is trusted and the function can be called programmatically.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.