ClawHub

Referral Letter Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a medical referral letter generator, but it needs review because it can automatically install software at runtime and makes weakly supported privacy/security claims while handling sensitive patient data.

Install only after review in a controlled environment. Preinstall and pin the document-generation dependencies instead of allowing runtime pip installs, run the skill in an isolated workspace, and use real patient information only where your organization has approved local storage, secure transmission, and deletion procedures for PHI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from reportlab.lib.units import inch
        except ImportError:
            print("Warning: reportlab not installed. Installing required package...")
            os.system(f"{sys.executable} -m pip install reportlab -q")
            from reportlab.lib import colors
            from reportlab.lib.pagesizes import letter
            from reportlab.platypus import SimpleDocTemplate, Paragraph, Spacer, Table, TableStyle
Confidence
98% confidence
Finding
os.system(f"{sys.executable} -m pip install reportlab -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from docx.enum.text import WD_ALIGN_PARAGRAPH
        except ImportError:
            print("Warning: python-docx not installed. Installing required package...")
            os.system(f"{sys.executable} -m pip install python-docx -q")
            from docx import Document
            from docx.shared import Inches, Pt
            from docx.enum.text import WD_ALIGN_PARAGRAPH
Confidence
98% confidence
Finding
os.system(f"{sys.executable} -m pip install python-docx -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents shell execution, file reads, and file writes, but does not declare corresponding permissions or constraints. In an agent environment, this creates a trust gap: operators may approve the skill based on incomplete capability disclosure while it can still access local files and invoke commands affecting the workspace.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is narrowly framed as referral-letter generation, but the behavior includes broader file generation, JSON file handling, local filesystem writes, and runtime package installation via pip. This mismatch is dangerous because users may authorize a seemingly simple document skill without realizing it can execute shell commands and modify the environment.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill claims automatic PHI redaction in logs, but the file provides no evidence of such controls. In a medical context, unsupported privacy assurances are risky because users may process sensitive patient data under a false belief that logs and outputs are automatically sanitized.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The security checklist asserts path validation, workspace restriction, and sandboxing, but these protections are not substantiated in the documented implementation. Such unsupported claims can cause users to rely on controls that may not exist, increasing risk of unsafe file access or unsandboxed execution.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A referral-letter generator should not need to run shell commands that modify the host environment during execution. This behavior is more dangerous in context because the skill processes medical data, so unexpected package installation adds unnecessary attack surface and could expose sensitive workflows to compromised dependencies or environment changes.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The DOCX path similarly performs runtime package installation via shell command, which is outside the minimum privileges needed for document rendering. In agent or enterprise environments, this can bypass change control, pull untrusted code from package indexes, and create persistent changes on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles patient data and writes artifacts to disk, yet it does not prominently warn against using real PHI without authorization or verifying secure storage. In a healthcare setting, this omission materially increases the chance of accidental exposure through insecure files, shared workspaces, or retained outputs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly collects and formats highly sensitive health information and multiple direct identifiers, including name, DOB, MRN, contact details, insurance, diagnoses, medications, labs, imaging, and mental health safety information, but provides no privacy, minimum-necessary, access-control, or secure-transmission guidance. In a medical referral workflow, this increases the risk of accidental disclosure, over-sharing, or insecure handling of regulated PHI when users copy, transmit, or store generated letters.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This template is explicitly designed to handle extensive protected health information, including patient identifiers, diagnoses, medications, labs, imaging, and insurance details, but it contains no privacy, minimum-necessary, or secure-handling warning. In a clinical documentation skill, that omission can normalize unsafe sharing, copying, or transmission of PHI to unintended recipients or insecure channels, increasing the likelihood of compliance and confidentiality failures.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically installing packages without prior confirmation is an unsafe operational practice because it modifies the environment and fetches code from external sources during execution. While the warning message exists, it does not provide meaningful consent or control, and in constrained or production environments this can violate policy and increase supply-chain risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The DOCX dependency path repeats the same unsafe pattern of installing a package at runtime without explicit approval. This is especially problematic for a healthcare-related skill, where operators generally expect deterministic behavior and minimal environmental side effects when processing sensitive content.

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
docx
enum
reportlab
Confidence
96% confidence
Finding
docx

Unpinned Dependencies

Low
Category
Supply Chain
Content
dataclasses
docx
enum
reportlab
Confidence
99% confidence
Finding
reportlab

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
reportlab

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal