KrumpPhysio

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed physiotherapy coaching prompt, but its optional integrations can handle patient videos, health-session logs, external telemetry, and Stripe payments without enough consent and scope controls.

Review before installing. The basic coaching instructions are understandable, but do not enable video intake, Canton logging, Anyway telemetry, provider APIs, or Stripe payment links unless you have reviewed the referenced external code, restricted credentials, obtained explicit consent for patient data, and set privacy-preserving defaults such as redaction, limited retention, and no prompt/tool-I/O capture by default.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The file states that only metrics are sent to OpenClaw, yet elsewhere says the bot may collect and send optional profile details such as name, interests, and limbs to work on. This inconsistency can mislead deployers and users about what personal or health-adjacent data is transmitted, undermining privacy controls and informed consent.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The reference broadens a physiotherapy coaching skill into payment-link creation and monetization, which is outside the core therapeutic scope and can prompt agents to perform financial actions in inappropriate contexts. In a health-related skill, mixing care guidance with payment execution increases the chance of unauthorized billing flows, social engineering, or pressure on patients during care interactions.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The observability section introduces tracing and tool I/O capture that is not necessary for basic physiotherapy coaching and may expand the skill's operational scope. Because this skill may process patient health details, enabling broad telemetry without clear safeguards can expose sensitive inputs and outputs to external systems.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: Payment-link generation through Stripe is context-inappropriate for a physiotherapy coaching skill and creates a path for the agent to initiate financial transactions unrelated to movement coaching. In a healthcare-adjacent context, this is especially risky because users may trust the agent and follow payment prompts without adequate verification or separation from care advice.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The publish/install guidance says the agent will load this skill when a task matches broad concepts like physio, movement scoring, rehab, Krump, Canton logging, and health-and-wellbeing flows. That scope is wide enough to trigger the skill in contexts where medical, therapeutic, or logging behavior was not explicitly requested, increasing the risk of unintended activation and inappropriate health-related guidance.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill description advertises use for physio/rehab agents, movement scoring, and general health-and-wellbeing flows without strong scope limits or safety boundaries. In a healthcare-adjacent skill, broad usage guidance can cause overreach into sensitive medical or wellness scenarios, where an agent may provide advice beyond intended competence or without proper user consent.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill presents itself as a physiotherapy aid while also enabling patient video handling, ledger logging, and payment flows without an upfront warning that sensitive health-related data may be processed or shared. In a health context, lack of prominent notice materially increases the risk of uninformed disclosure and misuse of sensitive data.

Missing User Warnings

High

Confidence: 95% confidence
Finding: This section instructs use of uploaded patient videos and forwarding derived results to external services, including OpenClaw and optional third-party providers, without requiring an explicit health-data warning or consent step beforehand. Because the content concerns rehabilitation and patient media, the privacy sensitivity is high and the absence of mandatory disclosure creates substantial confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The reference suggests forwarding patient video metrics through an HTTP API without an explicit privacy warning, consent flow, or data-handling limitations. Since movement videos and derived metrics can constitute sensitive health data, silent transmission to another service can lead to privacy violations, regulatory exposure, and unauthorized secondary use.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Enabling capture of tool I/O in observability for a physiotherapy skill can collect sensitive health-related prompts, notes, scores, and potentially patient identifiers without warning users. This creates a meaningful confidentiality risk because rich telemetry often leaves the immediate care workflow and may be retained or viewed by operators and third-party services.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: Referencing use of a Stripe secret key without guidance on secure credential handling encourages unsafe operational practices, such as storing secrets in plaintext or exposing them to agent-accessible contexts. While the line itself is not an exposed secret, it normalizes sensitive credential use in a skill that should not need direct financial secret handling.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The observability guidance recommends capturing full prompt/completion text and tool inputs/outputs, which in this health-oriented skill can include patient symptoms, movement metrics, uploaded-video summaries, and billing details. Sending that material to an external telemetry service creates a direct pathway for overcollection and secondary disclosure of sensitive data.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The Canton logging instructions tell the agent to persist angle data together with the agent's full natural-language reply as notes, which can easily include sensitive health observations, symptoms, or other session content. That encourages storage of more patient-related information than necessary and increases exposure if the ledger or downstream readers are compromised or over-permissioned.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal