ClawHub

Course TA

Security checks across malware telemetry and agentic risk

Overview

This is a real Canvas/Discord course assistant, but it needs review because it can access student LMS records, store them locally, and post announcements with a Canvas token.

Install only if the operator is authorized to connect this agent to Canvas and Discord for the affected courses. Use a least-privilege Canvas token, activate only intended courses, disable enrollment/submission/grade sync unless required, restrict broadcast permissions, protect credentials and data directories, and give students clear notice before logging, staff-channel reposting, or forwarding their identity and request content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The README materially expands the skill from a course Q&A assistant into a broad Canvas-integrated admin platform with syncing, dashboard access, enrollment handling, and write-capable operations. This scope drift is dangerous because operators and downstream agents may grant the skill far more access than implied by the manifest, enabling excessive data collection or privileged actions under the guise of a narrower educational assistant.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README advertises grade-related dashboard functionality even though the skill metadata says it refuses grade inquiries. That contradiction creates a real risk of exposing FERPA-sensitive academic records or encouraging users/admins to use the tool for prohibited grade access, undermining the claimed safety boundary.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The stated security model is internally inconsistent: it claims course-scoped memory access while also describing unrestricted Canvas reads and broad dashboard capabilities. Ambiguous or contradictory boundaries are dangerous because they lead to overtrust, misconfiguration, and accidental cross-scope data exposure when users assume stricter isolation than actually exists.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims it refuses grade inquiries, yet it includes grade overview and submission-tracking commands via Canvas. That contradiction can expose sensitive student performance data through an interface users believe is policy-restricted, and increases the chance of accidental disclosure to the wrong requester or channel.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The manifest frames the skill as a course-material Q&A assistant, but it can also forward student messages to the professor via Discord DM. This adds a communication/exfiltration path that users may not anticipate, and it changes the privacy model of interacting with the bot.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Student-to-professor DM forwarding is an extra capability beyond the core teaching-assistant purpose and creates a new outbound data channel. Even if intended as helpful, it can be abused or accidentally triggered to relay personal or sensitive content outside the original conversation context.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as answering questions using course materials already placed in workspace memory, but this file adds a general-purpose Canvas API client with broad LMS enumeration and download capabilities. That scope expansion increases attack surface and enables access to live institutional data beyond the declared RAG-only purpose, which is risky in an agent context where prompts or tool chaining could trigger unintended data access.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The client exposes methods for retrieving enrollments and assignment submissions, which can contain sensitive educational records and student data not needed for a course Q&A assistant. In this skill context, that is especially dangerous because the manifest promises strict course-scope boundaries and does not justify access to FERPA-relevant information such as roster details or student work.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The download_file method allows remote Canvas-hosted content to be written to an arbitrary local path supplied by the caller. For a skill that claims to use materials already present in workspace memory, this introduces an unjustified file-ingest capability and creates risk of overwriting files, importing untrusted content, or expanding the agent's reachable data surface via live network fetches.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file materially expands the skill from a Discord course Q&A assistant into a Canvas course discovery and activation tool. That broader capability introduces access to remote account/course metadata and local course management state that are not required for answering student questions, increasing the attack surface and enabling collection or exposure of institutional data beyond the manifest’s stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code enumerates all Canvas courses for the current account, groups them by enrollment role, and highlights locally activated courses. In the context of a teaching-assistant skill, this is more dangerous because it grants enrollment-aware discovery capabilities unrelated to student Q&A, which could reveal course existence, roles, and metadata to components or operators that should not need that visibility.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file materially expands the skill from a Discord course Q&A/RAG assistant into a Canvas administration dashboard with cross-course operational capabilities. That scope drift is dangerous because it introduces privileged access paths to course data and administration features that are not justified by the declared skill purpose, increasing the chance of misuse, prompt-triggered abuse, or accidental invocation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code exposes roster data, missing-submission tracking, engagement metrics, and grade statistics, all of which are sensitive educational records or analytics. In the context of a student-facing TA assistant, these capabilities create an unjustified privacy and authorization risk: if reachable through the agent, they could disclose student identities, performance, or participation data to unauthorized users.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The broadcast command is an active write capability that posts announcements to all configured courses, which is far beyond the stated course-assistant role. Even with a CLI confirmation prompt, this is dangerous because an agent or operator with access could mass-post misleading or malicious announcements across sections, causing integrity damage and broad user impact.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module presents itself as a dashboard/read-oriented utility, but it also contains a write-side broadcast action. That mismatch can cause reviewers or deployers to underestimate risk and provision broader access than intended, especially when combined with agent tooling where seemingly harmless utilities may be auto-exposed.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The sync engine is configured to ingest enrollment data by default even though the skill’s stated purpose is RAG over course materials, not student roster management. Collecting and persisting personally identifying roster information broadens data access beyond least-privilege needs and creates unnecessary privacy exposure if the workspace, logs, or downstream tooling are accessed by unauthorized parties.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code retrieves enrollment records from Canvas and stores a local roster containing user IDs, names, roles, and enrollment states. Even though it avoids memory indexing and omits emails, it still collects student-related data unrelated to answering course-content questions, increasing the chance of privacy leakage, unauthorized disclosure, or future misuse by other components with filesystem access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that all interactions are audit-logged with user IDs, but it does not disclose retention, access controls, or privacy implications to users. In an educational context, interaction logs tied to identities can contain sensitive student questions and metadata, creating privacy and compliance risk if collected silently or retained indefinitely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The forwarding flow sends the student's name, Discord identity, and request summary to the professor without clearly warning the student that this disclosure will occur before transmission. That is a privacy flaw because users may expect the bot interaction to stay within the current channel/thread unless informed otherwise.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill logs user questions and responses to disk and may repost summaries to a Discord log channel, but this monitoring is not clearly disclosed in the user-facing description. Undisclosed retention and secondary sharing of student content can create privacy, compliance, and trust issues, especially in educational settings.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The validation CLI prints a prefix and suffix of the Canvas access token to stdout. While partial masking reduces exposure, it still leaks credential material into terminals, logs, screenshots, or chat transcripts and is unnecessary for routine validation.

Ssd 3

Medium
Confidence
95% confidence
Finding
The logging instructions store user-provided questions and answer excerpts and may repost parts of them to another Discord channel. If students include personal data, grades, health issues, or other sensitive information, the system amplifies exposure by retaining and redistributing that content beyond the original context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal