Skills
skills/openclaw/skills/japanese-tutor/Gen Agent Trust Hub

japanese-tutor

Fail

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis

Detailed Analysis:

  1. Indirect Prompt Injection (HIGH): The skill is designed to ingest user-provided PDF and DOCX files (scripts/parse_pdf_gemini.py, scripts/parse_docx.py). The content of these files is then processed by the agent, and for PDFs, sent to Google's Gemini API. This creates a significant attack surface for indirect prompt injection, where malicious instructions embedded within a user's document could manipulate the agent's subsequent actions or responses. The skill's instructions explicitly state that it will "Explain the content to the user" and "Identify the tasks/questions" from these parsed documents, making it highly susceptible to interpreting malicious instructions as legitimate tasks.

  2. Persistence Mechanism (HIGH, exacerbates Indirect Prompt Injection): The SKILL.md explicitly states that the skill will "Append new vocabulary to references/vocab.md", "Append new grammar to references/grammar.md", and "create/update references/lesson_X.md" based on the ingested material. If an indirect prompt injection occurs via a malicious PDF/DOCX, the malicious instructions or data could be written into these reference files, making the injection persistent across sessions and potentially affecting future interactions with the agent.

  3. Data Exfiltration (MEDIUM): The scripts/parse_pdf_gemini.py script uploads user-provided PDF files to Google's Gemini API (genai.upload_file). While Google is a trusted service, this action involves sending potentially sensitive user data (the content of the PDF) to an external third-party service. Users should be aware that their document content will be transmitted to Google for processing. The script also accesses GEMINI_API_KEY from environment variables, which is a good practice for credential handling, but its presence enables this data transfer.

  4. Unverifiable Dependencies (MEDIUM): The scripts/parse_docx.py script imports docx (likely python-docx), and scripts/parse_pdf_gemini.py imports google.generativeai. These are external Python libraries that are not provided within the skill's files. While google-generativeai is from a trusted organization (Google), and python-docx is a common library, their exact versions and integrity cannot be verified directly from the skill's provided files. This introduces a dependency risk.

No direct Prompt Injection, Privilege Escalation, Persistence (other than content), Obfuscation, or Time-Delayed attacks were found in the skill's own code or instructions. The greet.py script uses datetime.datetime.now().hour for conditional greetings, which is benign.

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 12, 2026, 06:14 AM