ClawHub

教师教学能力动态评估Skill

Security checks across malware telemetry and agentic risk

Overview

This is a non-executable design skill for teacher evaluation that handles sensitive school data, but its sensitive behavior is disclosed and aligned with its stated purpose.

Before installing or deploying, confirm that only authorized school roles can access identifiable student or teacher data, exports are limited and logged, anonymous views are the default where appropriate, mapping changes require review, and privacy/retention rules match local education and employment requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Allowing school administrators to add, delete, or modify knowledge points and textbook mappings introduces an integrity risk to the evaluation pipeline. If these mappings are changed improperly or abusively, teacher comparisons, student mastery calculations, and historical trend analysis can be distorted without touching the scoring code itself.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The skill description lists broad trigger scenarios but does not define strict activation boundaries, permitted requesters, or exclusion conditions. In a system handling teacher evaluations and student-derived performance data, ambiguous triggering increases the chance the skill is invoked for unauthorized profiling, ranking, or disclosure workflows beyond intended educational administration use.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill processes highly sensitive education data, including student performance, teacher evaluations, comparative rankings, and role-based visibility, yet the description contains no privacy notice, consent basis, retention rules, or user-facing data-handling constraints. Because the context involves minors and personnel assessment, missing privacy controls materially raises the risk of unauthorized disclosure, over-collection, and noncompliant use of personally identifiable or evaluative data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal