ClawHub

med-record-struct

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised medical-record structuring, but it sends medical text to an external service despite promising de-identification and no local persistence.

Review before installing or using with real records. Only use already de-identified text unless the publisher provides auditable redaction, consent, endpoint, retention, and data-use controls. VirusTotal is pending and the static scan was clean, but the artifact evidence itself is enough to require Review rather than a benign pass.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation claims strict de-identification, no local persistence, and possible third-party API use, yet it declares no permissions while demonstrating file read, file write, and network capabilities. This mismatch is security-relevant because the skill processes highly sensitive medical data, and undisclosed I/O or network behavior can lead to unauthorized disclosure, retention, or transfer of protected health information.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill advertises medical record structuring but hard-codes a remote API endpoint and sends the full follow-up record off-host for processing. Because the data is medical text and likely contains sensitive personal and health information, this creates a significant confidentiality and compliance risk when the network disclosure is not clearly disclosed in the skill behavior or description.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The helper posts JSON containing the medical record to an external service, which is a sensitive data exfiltration path beyond simple local text transformation. In a medical context, undisclosed outbound transmission materially increases privacy, legal, and trust risks even if HTTPS is used, because the danger is the disclosure itself, not only transport security.

Missing User Warnings

High
Confidence
95% confidence
Finding
At the call site, the full record text is sent to the remote API with no user-facing warning, confirmation, or privacy notice. Given the skill handles outpatient follow-up records, the context makes this more dangerous because users may reasonably expect local structuring while the code silently discloses regulated health information to a remote service.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal