ClawHub

脑卒中风险筛查分析技能

Security checks across malware telemetry and agentic risk

Overview

This health-screening skill mostly matches its stated purpose, but it handles biometric and medical data with under-disclosed account creation, token storage, and inconsistent backend documentation.

Review this carefully before installing. Use it only if you trust the Life Emergence/SMYX backend with face media, health indicators, usernames or phone numbers, report history, and locally cached service tokens. Avoid using a phone number as an identifier unless required, do not pass private or internal media URLs, and treat saved reports as sensitive medical-adjacent files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The documentation says the agent must not derive or reuse a default open-id, but the examples repeatedly pass `openclaw-control-ui` as a concrete argument. In practice, examples strongly influence implementations, so this contradiction can cause reports to be associated with the wrong account, exposing or corrupting another user's medical screening history.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The API documentation describes a pet health analysis service while the skill is presented as a stroke-risk screening tool, which is a serious scope and identity mismatch. In a medical context, this can cause the agent to call the wrong backend, process the wrong category of sensitive data, or present misleading medical outputs, creating both safety and privacy risks.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as stroke-risk screening, but this file exposes CRUD-style operations for camera/device management, including add, edit, list/page, and delete by camera serial number. That mismatch strongly suggests code reuse or hidden capability beyond the declared scope, which can enable unauthorized device inventory manipulation or deletion if these methods are reachable through the skill.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The inline comment and logic add a petType parameter in a medical stroke-screening skill, which is inconsistent with the stated purpose and indicates probable copy-paste from unrelated functionality. This kind of hidden cross-domain parameterization can route requests incorrectly, contaminate backend processing, or reveal that the skill is invoking an unintended service, increasing the risk of unsafe or unauthorized behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill accepts an arbitrary remote URL and forwards it to backend analysis without any visible allowlisting, validation, or user warning. In practice this can enable backend-side fetching of attacker-controlled URLs, creating SSRF-like exposure, unexpected third-party data transfer, or processing of untrusted remote content beyond the stated local-media use case.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The CLI accepts a very broad identifier type for a sensitive medical-history-related operation, including username or phone number, which increases the chance of querying or associating records using guessable identifiers. In a health-screening context, weak identity binding can expose prior analysis metadata or results to the wrong party if backend authorization is imperfect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented endpoint is a generic video-upload 'common-analysis' API and its example response describes broad facial/constitution analysis rather than stroke-risk screening with physiological indicators as claimed in the skill metadata. In a medical-risk context, this mismatch can mislead integrators and users about what is actually being analyzed, creating unsafe reliance on irrelevant outputs for stroke triage or medical guidance.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This service exposes generic list, page, add, edit, and delete operations that are broader than the stated stroke-risk screening purpose. In a medical screening skill, undocumented CRUD-style endpoints increase the attack surface and may enable unauthorized manipulation or enumeration of backend resources, especially since the code appears to manage camera-linked records rather than purely analysis results.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The delete method allows removal of camera-linked resources using only a camera serial number parameter, which is not justified by the skill's declared medical analysis function. In this context, such a capability could be abused to tamper with device associations, disrupt monitoring workflows, or delete operational data related to patient screening infrastructure.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation exposes a generic video-analysis and history-listing workflow that does not align with the declared medical stroke-risk screening purpose. This kind of scope mismatch is dangerous because it can conceal broader data-processing behavior than users expect, especially in a health-related skill where users may submit sensitive biometric or medical content under false assumptions about how it is being used.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Accepting arbitrary remote video URLs expands the skill beyond the stated medical screening use case and introduces unnecessary attack surface. It can enable analysis of third-party or untrusted content, unexpected outbound fetching, and privacy or SSRF-like risks depending on how downstream components retrieve and process the URL.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file implements a generic persistence layer and a user-account table that stores profile and token-related data, which is broader than the stated stroke-risk screening purpose. In a medical-context skill, collecting and persisting unrelated user/account data increases privacy and data-minimization risk, especially because health-adjacent applications handle sensitive user trust and potentially regulated data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The User model stores token and open_token fields in a local SQLite database without any protections visible here such as encryption, hashing, scoping, or retention controls. If the local database is accessed by another process or user, these values could enable account takeover, API abuse, or unauthorized access to connected services; in a health-related skill this is more serious because compromise can expose sensitive user context.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This utility layer performs account creation/login against a health platform, retrieves authentication tokens, and persists them locally via DAO operations. That behavior is materially beyond a stroke-risk screening skill’s stated purpose and creates a hidden authentication and identity-management capability that could access or bind user accounts without clear consent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code contains a recharge/payment guidance path triggered by HTTP 402 responses, instructing the user to install a payment skill and recharge an account. This is unrelated to stroke-risk analysis and introduces an unexpected monetization workflow that can manipulate users into additional actions outside the declared skill scope.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The history-report auto-trigger phrases are broad enough to match ordinary conversational requests, which can cause the skill to query cloud history unexpectedly. In a medical context, unintended retrieval of prior stroke-risk reports can disclose sensitive health information or surface another user's records if identity handling is weak.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The default activation rule is vague—uploading a face image/video can automatically trigger stroke screening without a clear, affirmative request for medical analysis. Because the skill processes biometric imagery and health indicators, ambiguous activation raises privacy, consent, and misclassification risks.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill handles face images/videos, blood pressure, blood sugar, blood lipids, and historical medical reports, and sends data to a cloud/API service, but it does not provide a clear privacy and data-handling warning at the point of use. This is especially dangerous because biometric and health data are highly sensitive, and users may not realize their data is stored locally and transmitted remotely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document advertises file upload and report export capabilities but provides no warnings or constraints around handling sensitive health information. For a medical screening skill, this increases the risk of over-collection, unsafe transmission, or broad export of personal health data without clear minimization, authorization, or user notice.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool transmits highly sensitive health-related inputs and media for analysis without an explicit runtime notice about external processing, privacy implications, or retention. In a medical screening skill, silent transmission of blood pressure, blood sugar, lipids, and facial media materially increases privacy and compliance risk if users do not understand where their data is going.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script can write medical screening output to an arbitrary file path without warning that sensitive health data will be stored locally on disk. On shared systems or poorly protected environments, this can lead to unintended disclosure of private medical information through filesystem access, backups, or logs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API documentation instructs clients to transmit videos of faces and an API key but provides no privacy, consent, retention, encryption, or sensitive-health-data handling guidance. Because this skill processes biometric/health-related data in a medical context, omission of these controls materially increases the risk of privacy violations, unauthorized disclosure, and noncompliant handling of sensitive personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code reads the full local file and uploads it to a remote analysis API, but there is no visible consent, notice, or minimization logic in this layer. Because this skill handles health-related screening content, silent transmission of potentially sensitive biometric or medical media materially increases privacy and compliance risk if users do not understand their data is leaving the local environment.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill forwards a user-supplied remote URL to the analysis service without any warning or transparency to the user. In a health-screening context, this can disclose private resource locations or trigger backend retrieval of sensitive media without informed consent, creating privacy and trust risks even if the fetch is otherwise intentional.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code requires an open_id and accepts video input for remote analysis without any visible privacy notice, minimization, or consent mechanism in this file. In a health-oriented skill, transmitting user identifiers together with potentially sensitive facial or physiological video data increases privacy and regulatory risk if users are not clearly informed and protections are not enforced.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal