Drug Safety Review

Security checks across malware telemetry and agentic risk

Overview

This medication-safety skill is not clearly malicious, but it needs review because its medical capability, privacy claims, billing behavior, local tracking, and background self-evolution script do not line up cleanly.

Install only if you are comfortable treating this as a limited local demo, not a comprehensive medical safety system. Do not use real patient identifiers as user_id values, verify all medication results with authoritative clinical sources, avoid running auto-evolve-daemon.sh, and review the SkillPay billing endpoint and credential names before enabling paid use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The FAQ makes a strong privacy/security claim that no medication data is ever stored or transmitted, yet other parts of the document describe payment and balance features that likely require network communication. In a healthcare context, overstating local-only processing can mislead users into entering sensitive medication or patient data under false assumptions, creating privacy, compliance, and trust risks.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The documentation claims the tool works completely offline, but the same FAQ references paid usage, SkillPay, balance checks, and online support channels that suggest at least some functionality depends on network access. This inconsistency is dangerous because users may rely on offline/privacy assurances that are not universally true, leading to deployment or compliance mistakes.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The documentation states that the skill has no external dependencies and uses only the Python standard library, yet elsewhere it instructs users to obtain an API key and configure billing-related environment variables. This creates a misleading trust boundary: operators may assume the skill is fully local/offline when it may perform networked billing or external service interactions, which can affect review, deployment, and data-handling decisions.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill embeds billing configuration and monetization logic that is unrelated to its core medication-safety purpose, creating unnecessary external dependency and data flow. In a health-related tool, adding payment/network behavior increases privacy and trust risk because user activity may be linked to a third-party service before or alongside clinical processing.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The code persistently stores per-user trial usage under ~/.openclaw/skill_trial without any privacy notice, retention policy, permission hardening, or integrity controls. For a healthcare-adjacent skill, even seemingly simple usage metadata can reveal who is using a medication review tool and enable local privacy leakage or tampering with trial counters.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The processing flow invokes an external billing service as part of returning medication review results, coupling health-related processing to a third-party network operation. This expands the attack surface and can expose user identifiers and service usage patterns in a context where users reasonably expect local or privacy-preserving analysis.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The examples encourage submission of medication, allergy, age, and renal-function data, which is highly sensitive health information, without any nearby privacy, consent, retention, or transmission warning. In a drug-safety skill, this context makes the issue more serious because users are likely to test with real patient data, increasing the risk of unintended disclosure or regulatory noncompliance if data is transmitted or logged.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill is explicitly designed to process sensitive health-related information including medications, allergies, age, weight, and renal function, yet the documentation does not warn users about PHI/medical-data handling, minimization, storage, or transmission risks. In a healthcare context this increases the likelihood of unsafe deployment, accidental disclosure, and regulatory noncompliance because users may submit identifiable patient data without understanding the privacy implications.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This script launches a long-running background-style loop that repeatedly executes another script every 30 minutes with no approval gate, kill condition, or user-facing notice. In the context of an agent skill, silently recurring execution is dangerous because it creates persistent autonomous behavior and repeatedly re-triggers whatever `self_evolve.py` does, amplifying any harmful or compromised logic.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This file presents extensive drug, interaction, contraindication, and allergy reference content without any disclaimer that it is informational only and not a substitute for clinician, pharmacist, or other licensed medical judgment. In a medical context, users may over-rely on the document for diagnosis, prescribing, dosing, or safety decisions, increasing the risk of harmful self-medication, contraindicated use, or missed professional evaluation.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This document provides detailed medication interaction, contraindication, and allergy guidance in a clinical domain without any visible disclaimer that it is informational only and not a substitute for clinician or pharmacist judgment. In a medication-safety context, users may over-rely on simplified criteria to start, stop, or combine drugs without considering patient-specific factors such as dose, comorbidities, pregnancy, renal function, or current labs, which can lead to serious adverse events.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The CLI can write potentially sensitive medication, allergy, and patient review results to any caller-supplied file path with no warning or safeguards. This can lead to accidental disclosure through insecure locations, overwriting other files, or leaving medical data on shared systems.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill transmits user_id and skill_id to an external billing API without a clear user-facing privacy disclosure or consent gate. In a medication safety context, even indirect identifiers tied to tool usage may reveal sensitive health-related behavior and create compliance concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal