ClawHub

Quantinuumclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can deploy public healthcare-oriented cloud services and handle secrets with weak default safeguards.

Review before installing or using on real projects. Use only synthetic or de-identified clinical data, do not put real secrets in VITE_* frontend variables, inspect .env before deployment, prefer --skip-secrets unless needed, add backend authentication and rate limits, restrict CORS, protect admin/metrics endpoints, and treat any Fly.io deployment as a public persistent service unless you explicitly lock it down.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to run local scripts, deploy services, read and write project files, access environment secrets, and communicate with external services, yet it declares no permissions. This mismatch can cause the agent or reviewers to underestimate the skill's operational reach, increasing the chance of unintended file modification, secret exposure, or network actions during use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation recommends adding an `/api/admin/queue-size` endpoint with no authentication, authorization, or network restrictions. Even if it only exposes queue length, this is operationally sensitive data that can aid reconnaissance, reveal tenant activity patterns, and create an unnecessary admin surface in a healthcare/clinical deployment context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README encourages users to scaffold and deploy a public backend for clinical/healthcare use cases before prominently warning about the risks of exposing health-related APIs and data to a public cloud service. In this context, users may quickly stand up internet-accessible services, configure secrets, and connect frontends without implementing strong authentication, data minimization, or privacy controls, increasing the chance of accidental exposure of sensitive clinical information.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The activation guidance is very broad, covering generic clinical, healthcare, and quantum-web-app terms that may appear in many unrelated conversations. Overbroad matching can invoke this powerful deployment-oriented skill in contexts where it is unnecessary, increasing the chance that the agent proposes or performs file, shell, or network actions outside the user's actual intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance describes an admin queue-size endpoint without warning that it leaks operational state. Such metadata can help attackers estimate workload, identify busy periods, infer customer usage, and target denial-of-service or abuse more effectively.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Secrets are passed as command-line arguments via 'fly secrets set KEY=value', which can expose them to local process inspection, shell history equivalents, CI logs, or debugging/telemetry systems. In a deployment skill handling healthcare or clinical workloads, this raises the sensitivity because API keys or tokens may protect regulated or production data paths.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal