ClawHub

BioLIMS SKILL

Security checks across malware telemetry and agentic risk

Overview

The skill is a Bio-LIMS integration, but it exposes many sensitive lab, QC, report, export, and local-server capabilities beyond the narrow description, so it needs user review before installation.

Install only if you intend to grant an agent broad Bio-LIMS authority, including patient/order lookup, lab workflow mutation, QC changes, report operations, and exports. Avoid running the local server modes unless you add authentication, bind to localhost only, and restrict CORS. Treat token/cache files and exported data as sensitive, and require explicit human confirmation for any delete, complete, recall, import/export, report-send, or bulk-update action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented interface set exposes materially broader capabilities than the skill's stated purpose, including result management, product modification, reagent/instrument actions, QC operations, batch export/import, and template import. In a Bio-LIMS context, this creates an over-privileged integration surface where an agent triggered for routine order/sample tasks could be steered into performing sensitive data manipulation, data export, or workflow-altering actions outside user expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation exposes a much broader operational surface than the manifest description suggests, including destructive sample-pool actions, result manipulation, reagent consumption, batch export/write, and workflow progression. This mismatch can cause an agent or reviewer to underestimate the skill's real privileges, increasing the risk of unsafe invocation, over-broad delegation, and sensitive laboratory data or workflow changes without informed user consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file documents local file-oriented operations such as reading JSON via @filepath, batch-write to a file path, and template import execution, which exceed a narrow API-management role and create opportunities for unintended local file access or file creation. In an agent context, such capabilities are especially sensitive because they can bridge remote API actions with local workspace data handling, enabling exfiltration, tampering, or persistence through generated files.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The reference includes a direct username/password login flow plus concrete encryption scheme details, including example key/IV and payload structure, even though the skill is described as business operations with automatic token handling. Exposing authentication internals broadens the skill's effective capability, increases the chance of credential misuse or recreation of privileged access flows, and normalizes handling raw credentials in a context that should avoid them.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file documents report-management operations such as assigning writers, generating reports, editing report details, and sending reports, but the declared skill description only mentions orders, sample receiving, barcode scanning, and experiment template workflows. This scope mismatch can cause an agent to invoke undocumented high-sensitivity functions involving medical/lab reports and outbound delivery, expanding the skill's effective privileges beyond what users and reviewers would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file documents report-management and workflow-completion actions that extend beyond the declared Bio-LIMS scope of orders, sample receiving, barcode scanning, and experiment templates. This scope drift can cause the agent to invoke privileged report-generation or workflow APIs in response to loosely related prompts, increasing the chance of unauthorized actions, data exposure, or business-process manipulation in a sensitive laboratory environment.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The direct-command mode allows any user who can reach the endpoint to invoke arbitrary Bio-LIMS subcommands by sending '/command ...', bypassing the narrower natural-language intent allowlist described elsewhere in the skill. In a LIMS context, this can expose undocumented capabilities such as sensitive reads or state-changing operations, materially expanding the attack surface beyond what users and integrators would expect.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script starts an unauthenticated local HTTP server and exposes Bio-LIMS-backed read and write operations, including order creation, update, completion, and cancellation, to any local process. Because it also sets `Access-Control-Allow-Origin: *`, a web page or other untrusted local software may be able to trigger requests against this service, leading to unauthorized access to sensitive patient/order data and unauthorized state-changing actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill exposes report distribution and sending operations that are not disclosed in the manifest, expanding it from lab/order handling into report workflow actions. Hidden capability expansion is dangerous because an invoking agent or user may authorize the skill for a narrower purpose while the script can also assign writers, generate reports, mark sends, and complete report workflows affecting regulated patient-facing outputs.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file includes sequencing QC management commands beyond the stated order/sample/experiment-template scope in the metadata. This hidden functionality increases attack surface and can lead to unauthorized processing or modification of QC records in a sensitive laboratory context where downstream decisions may depend on those records.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill includes an SQL-checking capability unrelated to the declared operational purpose, which can help probe backend query behavior or validate attacker-crafted SQL. Even if it is only a validation endpoint, exposing database-adjacent functionality unnecessarily broadens the surface for abuse and reconnaissance.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The login path prints the encrypted password, response headers, cookies, and part of the response body. Even if the password is encrypted, these values can contain bearer tokens, session identifiers, or other reusable authentication artifacts that enable account or session compromise if logs are exposed. In a BioLIMS context, that can lead to unauthorized access to patient, sample, and order data.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The order-query path logs request headers containing the Token and XSRF header values, plus the full session cookie jar. Those artifacts are often sufficient to replay authenticated requests or hijack a session, which is especially sensitive for a system that manages laboratory orders and patient/sample workflows.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script directly rewrites the main skill implementation file (`biolims.mjs`) by replacing a large embedded code block, which is a self-modifying capability unrelated to normal Bio-LIMS API operations. In an agent skill context, code-patching utilities expand the attack surface because they can alter trusted behavior outside normal runtime input handling and bypass review or deployment controls.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The file's actual behavior is local code modification, not Bio-LIMS order, sample, or experiment-template management as described in the skill manifest. That mismatch is dangerous because hidden maintenance or patching behavior in a production skill can be used to alter future executions, introduce unauthorized logic, or evade expectations of users and reviewers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command list includes numerous destructive or state-changing actions—such as deleting experiment data, deleting pool records, changing products, removing samples, returning results, consuming reagents, and modifying workflow state—without any warnings, approval model, or indication of irreversible effects. In a laboratory information management context, these actions can directly affect sample integrity, traceability, QC, and regulated records, making omission of cautions and guardrails materially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation presents state-changing operations such as saving experiment data and completing workflow steps as routine commands without warning that they mutate laboratory records and may irreversibly advance a process. In a conversational agent context, that omission increases the chance of accidental execution, unauthorized changes, or operator confusion causing integrity issues in regulated lab workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Commands that remove samples, reassign them between pools and experiments, add them to steps, or mix/cancel mixed samples can directly alter sample lineage, traceability, and experiment integrity. Documenting these actions without safety warnings or confirmation expectations is dangerous in a lab setting because mistaken or coerced execution could corrupt chain-of-custody records or invalidate experimental results.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes state-changing operations such as deleting QC details, processing orders, and recalling completed orders without any warning about confirmation, authorization, or operator review. In a conversational agent context, this increases the risk of accidental or socially engineered execution of destructive actions against laboratory workflow data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The import, export, and external update features can move or modify potentially sensitive laboratory and patient-linked data, yet the README provides no privacy, retention, validation, or secure-handling warnings. In a Bio-LIMS setting, this omission can lead to unauthorized disclosure through exports or integrity issues through bulk imports and external sample updates.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger terms include very common words like 'order', 'sample', and 'patient', which can cause accidental invocation in unrelated conversations. In a skill that can query or mutate sensitive medical records, unintended activation increases the chance of unnecessary data access, wrong-context actions, or privacy leakage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents create, update, complete, cancel, and delete workflows without consistent warnings, confirmation steps, or clear indication of irreversible effects. In a laboratory and patient-data context, mistaken destructive actions can alter chain-of-custody, invalidate workflows, or delete operational records.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage scenarios encourage displaying detailed patient and medical information directly in replies without requiring authorization checks, role validation, or data minimization. This creates a concrete risk of exposing PHI/PII to unauthorized users or over-disclosing sensitive information beyond what is needed for the task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly instructs consumers to handle authentication material including Token, X-XSRF-TOKEN, and Cookie/XSRF-TOKEN values. In a clinical LIMS context, exposing or mishandling these credentials can enable unauthorized access to patient/sample workflows and other sensitive laboratory data, especially because the skill description says authentication is automatic and no manual authentication is needed, reducing operator visibility into credential risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file documents batch export of sample receive data to Excel with no privacy, authorization, retention, or destination-handling warnings. Because the referenced data model includes patient names, barcodes, order IDs, and potentially custom clinical fields, this creates a realistic risk of bulk PHI/PII exfiltration or accidental disclosure through generated files.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal