ClawHub

Medical

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local health-record organizer, but users should treat its medication and emergency prompts as reminders rather than medical advice.

Install only if you are comfortable storing medical details locally in the OpenClaw workspace. Keep the device and backups private, review what goes into emergency cards before putting them on a lock screen or in a wallet, and do not rely on the built-in interaction checks or symptom warnings for medical decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill claims a strict boundary of local-first record management with 'never diagnosis or treatment advice,' but the interaction-checking section moves beyond passive recordkeeping into health-safety guidance. Even with disclaimers, presenting interaction categories, flagged medications, and action recommendations can be relied on by users as quasi-clinical advice, creating a mismatch between stated scope and actual capability.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill’s stated boundary is record management only, explicitly excluding diagnosis or treatment advice, but generating symptom-based questions for a doctor moves into tailored medical-content generation. While lower risk than direct advice, it can still steer users’ clinical framing, omit urgent concerns, or create misleading recommendations in a sensitive health context.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script goes beyond passive record-keeping by generating drug interaction warnings from a hardcoded, incomplete ruleset. In a medical skill explicitly scoped to local health record management and 'never diagnosis or treatment advice,' this can mislead users into relying on incomplete safety advice, creating a real risk of false reassurance or inappropriate alarm.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The docstring describes the tool as only adding a medication, but the implementation also performs medical interaction evaluation and prints warnings. This mismatch can cause reviewers and users to underestimate the scope of the script and miss that it is providing health-related guidance outside the declared privacy and safety boundary.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script goes beyond record-keeping and performs symptom screening plus urgent care advice, then blocks logging based on matched keywords. In a health-record skill that explicitly promises no diagnosis or treatment advice, this creates unsafe scope creep: the triage is simplistic, can miss true emergencies or trigger on false positives, and may cause users to rely on an unvalidated gatekeeper.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The module advertises itself as only adding a symptom, but it also screens for emergencies and exits before saving in some cases. This mismatch can mislead users, reviewers, and downstream agents about the actual behavior of the script, which is especially risky in a medical context where hidden decision logic affects whether important information is recorded.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script goes beyond passive health record organization and performs medication safety evaluation by checking proposed drugs against a built-in interaction database and presenting risk categories and effects. In a medical skill whose manifest explicitly says it should never provide diagnosis or treatment advice, this creates a boundary violation that could cause users to rely on incomplete, outdated, or oversimplified interaction guidance when making medication decisions.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The docstring minimizes the behavior as a simple interaction check, while the actual feature evaluates medication combinations and reports severity/effects, which can influence treatment behavior. This mismatch increases the chance that reviewers, operators, or users underestimate the medical-decision support nature of the code and deploy it without appropriate controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly encourages placing sensitive health information on a phone lock screen and in a wallet where it may be visible to strangers, thieves, or bystanders. Although some later sections discuss limiting included data, the initial guidance does not present a clear upfront warning about the privacy tradeoff, which can lead users to expose protected medical and identity-related information more broadly than intended.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This section instructs collection and storage of highly sensitive medication and condition data, including doctor names and treatment purpose, but does not pair that with explicit privacy-handling guidance. In a medical context, omission of retention, access-control, local storage, encryption, and sharing warnings increases the chance that sensitive health information is stored or exposed unsafely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition activates on broad symptom mentions like 'I have headache' or 'my knee hurts,' which can capture ordinary conversation and cause the skill to begin collecting sensitive health data without sufficiently clear user intent. In a privacy-sensitive medical skill, overbroad activation increases the risk of unintended processing, retention, and structuring of personal health information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This document provides health-monitoring guidance, target ranges, and escalation suggestions without a prominent disclaimer that it is not medical advice and not a substitute for clinician or emergency guidance. In a medical-records skill, users may reasonably rely on this content during concerning symptoms or abnormal readings, increasing the risk of delayed care or inappropriate self-management.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stores highly sensitive health information to a predictable local path without any explicit user warning, consent flow, or mention of retention/privacy properties at the time of collection. Even for a local-first tool, silent persistence of medical data can expose users to privacy harm on shared machines, backups, compromised accounts, or other local access paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script allows writing an emergency card containing highly sensitive medical information to any path supplied via --output, with no confirmation, permission hardening, or warning about insecure destinations. In a health-record skill, this is more dangerous because users are likely to export and retain the file, increasing the chance of accidental disclosure through world-readable locations, synced folders, shared directories, or backups.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal