ClawHub

Bio-Ontology Mapper

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate biomedical term-mapping tool, but API mode can send submitted terms to external NLM services, so users should avoid patient-identifying text.

Use local-only processing for confidential or patient-identifying data. Enable API lookup only after confirming the text is de-identified and that sending terms to NLM services fits your privacy and compliance requirements; also avoid blindly installing the listed requirements because they are unnecessary or unpinned.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The parameter section requires `--use-api` and `--api-key` but does not provide a prominent warning that API-based processing may transmit biomedical text to third-party services. Given the domain, this omission increases the risk of accidental disclosure of sensitive or regulated data, especially if users assume local-only processing.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
The synonym list maps Alzheimer's disease to the term "senile dementia," which is outdated and can be experienced as stigmatizing or misleading in biomedical normalization workflows. In a bio-ontology mapping skill, such terminology can propagate into downstream labels, search results, or structured outputs, creating reputational harm and reducing clinical language quality even if it does not directly enable code execution or system compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --use-api is enabled, user-supplied biomedical terms are sent to external UMLS and MeSH endpoints without any explicit consent flow, warning, or data-sensitivity check. Biomedical text may contain diagnoses, symptoms, or other sensitive health-related information, so silent transmission to third parties creates a real privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal