ClawHub

Market Access Value

Security checks across malware telemetry and agentic risk

Overview

This is a local market-access writing helper that writes a generated text file, with no evidence of network use, credential access, hidden behavior, or destructive actions.

Install only if you want a market-access or pharmacoeconomic value-proposition drafting aid. When running the script, choose an output path inside your workspace and review the generated payer/HTA content for regulatory, medical, and commercial accuracy before using it externally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest documents executable behavior that can write files, but it does not declare any corresponding permissions or constraints. This weakens reviewability and policy enforcement because users and security controls may trust the manifest while the packaged workflow still produces filesystem side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as an academic writing workflow, but the documented behavior and detected code capabilities support payer-facing pharmacoeconomic content generation and file output. This mismatch can cause operators to invoke the skill in broader or lower-risk contexts than intended, reducing scrutiny and creating opportunities for unsafe execution or misuse of domain-specific outputs.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The top-level description frames the skill as academic writing support, while the body clearly targets market access, pricing, reimbursement, and payer strategy. This inconsistency can mislead users, bypass appropriate approval paths, and increase the chance that sensitive commercial or medical-strategy tasks are handled under an inaccurately low-risk label.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill’s stated purpose in metadata is an academic writing workflow with clear output boundaries, but the code actually generates payer-facing pharmacoeconomic messaging. This mismatch can mislead reviewers and users about the true function of the skill, weakening trust and governance controls and increasing the chance of policy bypass or misuse in regulated commercial contexts.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The inline documentation says the tool writes payer-facing pharmacoeconomic value propositions, which conflicts with the manifest’s academic-writing framing. In security and compliance terms, deceptive or inconsistent documentation is dangerous because it obscures operational intent, making it harder to apply the right approval, monitoring, and usage restrictions.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation guidance is broad enough to match generic academic writing requests, even though the skill appears specialized for market-access value content. Over-broad routing increases the chance of accidental activation, misuse with unsuitable inputs, and generation of outputs outside the skill's validated domain boundaries.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal