ClawHub

Medical Device MDR Auditor

Security checks across malware telemetry and agentic risk

Overview

This is a local, user-directed EU MDR audit helper with some scoping and packaging cautions but no evidence of hidden, destructive, credential, network, or persistence behavior.

Install only if you need local MDR technical-file checks. Run it on a narrow, intended technical-file folder, choose an output path you control, review reports before sharing because they may contain confidential paths or filenames, and avoid blindly installing the unpinned requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises and documents local file read/write behavior via `scripts/main.py`, input directories, config files, and output report paths, but it does not declare corresponding permissions. This creates a governance gap: the runtime or reviewer may underestimate the skill's access needs, increasing the chance of unintended exposure of sensitive technical-file contents or writes to unsafe locations if the script is invoked with attacker-controlled paths.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The audit artifact classifies the skill as an 'Academic Writing' package despite the manifest describing a medical-device MDR auditor. This kind of capability/positioning drift can misroute the skill, weaken safety guardrails, and cause reviewers or orchestrators to apply the wrong trust assumptions to a regulatory-analysis tool.

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The file contains internally inconsistent safety claims: several notes state the workflow stayed within the MDR audit boundary, while another recorded test explicitly failed for scope-boundary and safety-guidance issues. In a compliance-oriented medical context, contradictory audit evidence can cause operators to overtrust the skill and overlook situations where it drifts beyond its validated scope.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The `When to Use` section broadens invocation beyond MDR auditing into generic academic-writing and fallback scenarios, which can cause the skill to be selected for tasks outside its validated domain. In context, that mainly raises the risk of misuse or over-invocation rather than direct compromise, but it can still expose local files to an unnecessary script execution path if an orchestrator routes requests too loosely.

VirusTotal

32/32 vendors flagged this skill as clean.

View on VirusTotal