Back to skill

Security audit

Medical Record Structurer

Security checks across malware telemetry and agentic risk

Overview

This medical-record skill has useful stated functionality, but it also includes under-disclosed self-modifying background code and handles sensitive medical data with unclear privacy boundaries.

Install only after carefully reviewing or removing auto-evolve-daemon.sh and scripts/self_evolve.py. Do not process real patient records unless you have verified whether PHI can be written to output files or sent to billing/OCR/STT services, and you have appropriate consent, retention, access-control, and compliance controls in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (22)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation states that the skill has no external dependencies and uses only the Python standard library, yet elsewhere it describes a paid external API/service and API-key setup. This discrepancy can mislead users into believing sensitive medical data will be processed locally when it may instead be sent to an external service, creating privacy, compliance, and trust risks.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The file presents itself as a medical record structuring component, but its actual behavior is to launch an infinite self-evolution daemon. This mismatch is dangerous because it can mislead reviewers and operators about the script’s purpose, reducing scrutiny around persistent autonomous code execution and self-modifying behavior.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation combines monetization with medical-record processing, a sensitive healthcare domain, without establishing necessity, scope, or privacy boundaries. This is dangerous because it normalizes processing regulated health data through an externally billed workflow and may lead implementers to transmit sensitive records and identifiers without appropriate consent, compliance review, or data-minimization controls.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script’s stated purpose is medical-record structuring, but it also performs external billing, balance checks, charging, payment-link generation, and local trial-state persistence. Mixing unrelated networked monetization logic into a healthcare data processor expands the attack surface and increases the chance that sensitive workflows operate with undeclared side effects.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The module description claims to only convert notes into standardized EMR format, but the implementation also performs billing, local persistence, and remote payment-link operations. This mismatch is dangerous because operators may trust the tool with highly sensitive medical data without realizing it has additional side effects and external dependencies.

Intent-Code Divergence

High
Confidence
93% confidence
Finding
The file presents itself as part of a medical-record structuring skill, but its actual behavior is autonomous project analysis, code rewriting, file creation, and version mutation. This mismatch is dangerous because it obscures high-risk capabilities behind a benign medical label, reducing operator scrutiny and increasing the chance that self-modifying logic is executed unintentionally.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The evolve() workflow performs autonomous modification of the skill by changing code, updating documentation, generating new modules, and bumping versions, all from a single execution path. In a skill handling medical-record functionality, this creates unauthorized capability expansion and supply-chain risk because code can change over time without a trusted review boundary.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The _enhance_core_script() function directly rewrites the core processing script, including injecting imports and altering implementation state based on simple string matching. Direct mutation of a core medical-processing component is dangerous because it can silently change runtime behavior, introduce defects or backdoors, and bypass normal testing and review controls.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script creates a new executable support module on disk, which expands the skill’s codebase and operational surface without prior declaration or approval. Even though the generated module appears benign, arbitrary code generation inside a deployed skill is a risky persistence and capability-expansion mechanism.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples include and persist identifiable medical record content, including names, ages, symptoms, diagnoses, and user identifiers, into files and API outputs without any privacy warning or guidance on handling protected health information. In a medical-record structuring skill, this normalizes unsafe handling of highly sensitive data and can lead users to store real patient data insecurely in local files, logs, or shared environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API and CLI examples accept raw medical text and user identifiers and transmit or process them without any warning about sensitive-data exposure in HTTP requests, command histories, shell process listings, logs, or output files. Because this skill is specifically designed for medical records, the context increases the risk that users will test with real patient data and unintentionally disclose regulated health information.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The FAQ states the tool works offline except for billing after the trial, but it does not clearly warn users that post-trial billing operations require network access and may transmit account or billing identifiers. In a medical-record processing context, incomplete disclosure about when network communication occurs can mislead users about data handling and operational privacy expectations, even if the transmitted data is limited to billing metadata.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide encourages users to process their own medical records without any warning about privacy, data handling, or possible transmission to third-party services. Because medical records are highly sensitive, this omission can lead users to expose protected health information without informed consent or understanding of retention and disclosure risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explains API-key configuration and paid per-call use for medical-record processing but does not clearly warn that an external service may receive sensitive patient data. In a medical context, failing to disclose external processing materially increases the risk of privacy violations, regulatory noncompliance, and accidental transmission of PHI to an unvetted third party.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes sending medical records to external OCR/STT providers but does not clearly warn users that PHI may be transmitted to third parties, potentially across jurisdictions and under separate retention/training policies. In a medical-record skill, this omission is security-relevant because operators may unknowingly expose highly sensitive data to vendors without adequate consent, BAAs/DPAs, or compliance review.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly handles PHI and advertises external OCR/STT integrations, but it does not clearly warn that patient data may be transmitted to third-party processors. In a healthcare context, this omission can cause users to expose regulated medical data without informed consent, creating serious privacy, compliance, and contractual risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script runs an endless loop that repeatedly executes a self-evolution subprocess every 30 minutes without any user-facing consent, guardrails, or runtime confirmation. In the context of an agent skill, unattended recurring execution can enable persistent unauthorized changes, resource abuse, and covert drift in behavior over time.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example documents automatic paid processing of medical records using a user identifier, but does not clearly warn that sensitive data and linked identifiers may be transmitted or processed by external components. In a medical context, missing transparency and consent language increases the risk of privacy violations, improper third-party disclosure, and noncompliance with healthcare data-handling requirements.

Missing User Warnings

High
Confidence
94% confidence
Finding
The tool can write fully structured records, including patient demographics and the original source_text, to an arbitrary output file with no warning or protective controls. Because the content is medical data, this can lead to accidental plaintext storage of sensitive patient information on shared disks, backups, or insecure paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes modified content to project files automatically and provides only progress output, with no explicit confirmation, dry-run, rollback, or warning about code changes. This is dangerous because users may trigger irreversible modification of the skill repository or deployed code unintentionally, especially in sensitive environments.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script uploads a skill file to an external service and the skill is explicitly described as handling medical record structuring, which raises a realistic risk that sensitive healthcare-related logic, prompts, sample data, or embedded PHI could be transmitted off-system without any user warning, consent check, or data-classification gate. While the uploaded artifact is a skill file rather than raw patient records, the healthcare context makes undisclosed external transmission more sensitive than a routine package upload.

Session Persistence

Medium
Category
Rogue Agent
Content
- Include patient demographics

### Permission denied errors
Create the required directory:
```bash
mkdir -p ~/.openclaw/skill_trial
chmod 755 ~/.openclaw
Confidence
73% confidence
Finding
Create the required directory: ```bash mkdir -p ~/.openclaw/skill_trial chmod 755 ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.