ClawHub

前程似锦-高考升学规划Pro

Security checks across malware telemetry and agentic risk

Overview

This education-planning skill is not malicious, but it needs Review because its pricing materials describe identity tracking, payments, referral attribution, and commission settlement that are not reconciled with its privacy claims.

Before installing, treat this as an admissions-planning skill with a built-in reseller/payment design. Ask the publisher to clarify what personal identifiers, payment records, referral data, and redemption-code data are collected or stored; who can access them; how users consent, delete data, get refunds, and dispute charges; and whether the privacy statement will be updated to match the pricing flows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly proposes limiting free use by binding activity to a phone number/WeChat account and tracking referral-linked customer activity, but it provides no notice, consent flow, retention policy, or privacy controls. In an education-planning product handling identifiable user data and conversion tracking, this creates real privacy and compliance risk because users may be monitored or profiled without transparent disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The design includes payment processing, package purchasing, redemption-code issuance, and commission settlement flows, yet there is no mention of user warnings, confirmation steps, refund terms, fraud controls, or safeguards around financially impactful actions. In a system involving B-end and C-end payments plus transferable codes, this increases the risk of accidental purchases, abuse, disputes, and account-impacting transactions without adequate transparency.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal