ClawHub

Variant Annotation

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate variant-annotation skill, but it handles sensitive genetic queries and presents simplified clinical classifications in ways that need careful review.

Install only if you are comfortable sending queried variant data to NCBI services and using the output for research or education, not diagnosis or treatment. Run it in a sandboxed workspace, avoid broad or sensitive input files, choose output paths carefully, and have any clinical interpretation reviewed by qualified genetics professionals using current authoritative sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and requires network access plus file read/write behavior, but it does not declare explicit permissions. This creates a governance and sandboxing gap: reviewers and runtime policy engines cannot reliably enforce least privilege, increasing the chance of unintended data access, exfiltration, or unsafe file writes if the implementation is later added or changed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This reference provides ACMG classification rules and score thresholds for interpreting genetic variants but does not warn that these classifications are not standalone clinical advice and require expert review, phenotype correlation, and validated laboratory context. In a skill explicitly designed to answer pathogenicity and clinical significance questions, omission of that warning increases the risk that users or downstream agents will treat the material as authoritative medical decision support.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user-supplied variant identifiers directly to NCBI ClinVar and dbSNP over the network without any explicit consent flow, warning, or privacy notice. In this skill's context, the inputs are genetic variants and related clinical interpretation queries, which can be sensitive biomedical data; transmitting them to a third party can create privacy, compliance, and user-expectation risks even if the destination is a legitimate service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal