ClawHub

Neonatal Jaundice Screening (Facial Skin Color) | 新生儿黄疸筛查(面部皮肤颜色)

Security checks across malware telemetry and agentic risk

Overview

This skill claims to screen newborn jaundice but ships mismatched generic analysis code and under-disclosed handling of infant images, identifiers, accounts, and tokens.

Do not install this version for real newborn health screening unless the publisher fixes the domain mismatch, documents clinical validation, removes pet/generic-analysis paths, replaces the phantom dependency, and clearly explains consent, cloud upload, account creation, token storage, report history, retention, deletion, and billing behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs automatic retrieval of cloud-hosted historical neonatal reports and report URLs, which goes beyond on-demand image analysis and broadens access to sensitive medical records. In the context of infant health data, exposing historical report listings and direct report links increases privacy risk, especially if identifiers are weak or shared.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs reading configuration files to obtain an open-id or API credential before analysis, introducing credential discovery and handling that is not justified by the public description. This is dangerous because it normalizes secret extraction from local files and may cause accidental use of stored credentials without the user's awareness, especially in shared workspaces.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The task scope expands from simple risk hints to estimated bilirubin values and historical report management, materially increasing the sensitivity and clinical weight of the output. In a neonatal health context, undocumented expansion can mislead users about the medical reliability of the tool and broaden the amount of sensitive health data processed and stored.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
A neonatal jaundice screening skill containing an inline comment about adding a pet-type parameter is a strong indicator of code reuse or misbinding to the wrong domain model. In a medical context, this mismatch can cause requests to be routed or interpreted incorrectly, leading to wrong analysis behavior, corrupted records, or unsafe clinical hints for newborns.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The analysis request sends a petType parameter in a skill intended for neonatal jaundice screening, which indicates the request schema may belong to a different product domain. In a health-related system, this can produce misclassification, backend confusion, or use of the wrong model/pipeline, potentially resulting in false reassurance or missed escalation for a newborn at risk.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The script presents itself as a neonatal jaundice screening tool but exposes a pet-oriented selector (`cat`, `dog`, `other`) and writes into `DEFAULT__PET_TYPE`. In a medical context, this kind of domain mismatch strongly suggests the analysis path may be reused from an unrelated animal pipeline, which can lead to incorrect risk assessments, unsafe parental reassurance, or missed escalation for newborns.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implementation delegates analysis through a generic `skill.get_output_analysis` flow while also allowing a pet-type override, rather than showing a clearly neonatal-specific and clinically constrained jaundice screening path. For a health-related skill involving newborns, ambiguous routing to a generic classifier is dangerous because it may silently apply the wrong model or preprocessing logic and produce misleading medical risk hints.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented API is materially inconsistent with the stated purpose of neonatal jaundice screening. It describes a generic video-analysis/TCM-style diagnosis service with outputs such as constitution, organ condition, and lifestyle advice, which suggests either backend misbinding or deceptive capability documentation; in a medical newborn context, this can lead to unsafe clinical reliance on unrelated analysis results.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Allowing arbitrary public video URLs is unjustified for a narrowly scoped neonatal screening skill and expands the attack surface beyond expected baby-monitor captures. It can enable submission of unrelated third-party videos, accidental collection of non-consenting subjects, or misuse of the service as a generic remote video-analysis endpoint.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implementation accepts either a local file or an arbitrary HTTP(S) URL and maps it to a video-analysis request, which materially differs from the skill description of high-resolution facial image screening for neonatal jaundice. This mismatch can cause unintended collection and transmission of broader newborn video data than users expect, increasing privacy and safety risk in a medical context involving infants.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially diverges from the declared medical purpose: it is a generic video-analysis wrapper that accepts arbitrary inputs rather than a constrained neonatal jaundice image-screening pipeline. In a healthcare context, this mismatch is dangerous because users may rely on it for infant risk screening while the code provides no modality, validation, or safety controls consistent with that use, creating a serious risk of unsafe or misleading medical output.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Accepting arbitrary remote video URLs introduces an unjustified network-ingestion surface for a neonatal screening skill. This can expose the backend to untrusted content retrieval, privacy leaks, and misuse outside the intended baby-monitor workflow, especially when handling sensitive infant media.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The code and CLI repeatedly describe 'video analysis' rather than neonatal image-based jaundice screening, reinforcing that the shipped behavior does not match the medical claims. In a newborn-health setting, this discrepancy can mislead parents or staff into trusting an unfit tool for clinical decision support, increasing the chance of missed escalation or false reassurance.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The file defines a generic user table that stores usernames, email addresses, birthdays, tokens, and open tokens, none of which are clearly necessary for neonatal jaundice image screening. In a medical-context skill handling newborn-related data, collecting and persisting account identifiers and authentication tokens increases privacy, compliance, and breach impact, especially because tokens appear to be stored directly in plaintext.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The shared HTTP utility performs hidden account creation/login against an external health endpoint, fetches tokens, and persists them locally via DAO. That behavior is unrelated to a neonatal jaundice image-screening helper and creates a covert identity/authentication side effect that can transmit user identifiers and establish accounts without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
On HTTP 402, the code returns instructions to install and use an external payment skill, coupling this medical screening skill to a separate payment workflow. This is dangerous because it can steer users into unrelated actions and monetization flows from within a health context, increasing phishing-like trust abuse and unexpected external dependency risk.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are overly broad, including default activation for essentially any newborn face image or video analysis request. Broad auto-triggering is risky for a sensitive medical skill because it can capture and process highly sensitive infant images without a clear, specific user request for jaundice screening.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation does not clearly warn users that newborn facial images and identifiers may be uploaded to a cloud API and that attachments may first be saved locally. This omission is especially serious because the data concerns minors and health-related information, so undisclosed transmission and storage can create substantial privacy, compliance, and trust harms.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script requires and propagates `open-id` values that may be an OpenID, username, or phone number, but provides no notice about collection, storage, transmission, retention, or access controls. In a newborn health-monitoring context, this creates privacy and compliance risk because sensitive identifiers can be linked to infant medical screening records without informed disclosure or minimization.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The API documentation instructs clients to upload videos or provide public video URLs to a remote service but provides no warning about handling highly sensitive infant biometric/health data. In a newborn medical-screening context, silent transmission of facial videos creates significant privacy, compliance, and trust risks, especially if users are not informed about storage, retention, sharing, or cross-border processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads local file contents into memory for upload or forwards a remote media URL to an external analysis service without any in-code disclosure, consent flow, or visible privacy notice. In a healthcare-adjacent neonatal monitoring context, silent transfer of infant facial imagery/video is sensitive and can expose protected health and biometric information to third parties.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script requires and transmits a user identifier such as OpenID, username, or phone number for history lookup without meaningful notice, minimization, or privacy controls. In the context of infant-health monitoring, linking sensitive media history to direct identifiers raises privacy and compliance risks if mishandled or exposed.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The analysis flow appears to send local file paths or remote URLs into a network-backed analysis service without clearly informing the user that media may be transmitted off-device. Because the skill handles newborn imagery, undisclosed transfer of potentially sensitive infant media meaningfully increases privacy and trust risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The request utility automatically sends user identifiers such as mobile/openId/pnaUserName and authentication headers to external services without any visible consent or disclosure in this code path. In a newborn health-monitoring context, silent transmission of identity and auth data is especially sensitive because users may reasonably expect medical screening assistance, not background account-linked data sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code stores retrieved token and openToken values through DAO save/update without showing any controls around secure storage, retention, or user awareness. Persisting long-lived authentication material increases the blast radius of local compromise and creates hidden account linkage in a medical-assistance skill.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal