ClawHub

open-health-link

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent breo Scalp5 health-data connector, but it handles sensitive report data and keeps a local authorization token until unbound.

Install only if you intend to connect your breo Scalp5 account. Approve the dependency install only if you trust this skill, avoid sharing the skill directory because it may contain the saved authorization token, and use the unbind command when you no longer want OpenClaw to access your reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest describes account binding and report/plan viewing, but the body also requires a remote lookup against an external plan knowledge base. Undisclosed remote data flows are dangerous because they can expose user-linked query content to a third party and bypass user expectations about what external systems are contacted.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The API reference expands the skill from account binding/report retrieval into a separate remote 'plan catalog' lookup hosted on an external CSV endpoint. That broadens data flows and trust boundaries beyond the stated Health Link scope, creating a supply-chain and scope-creep risk where remote content can influence responses or disclose additional user-related context without explicit user consent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger phrases are broad enough that ordinary user conversation could unintentionally invoke the skill, especially phrases like asking to view a report or scalp results. Because this skill handles health-account linking and access to sensitive scalp/health data, accidental activation could expose private information or initiate account actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill handles health-related authorization and report access using QR-based login and auth tokens, but the documentation omits any privacy notice, consent language, or handling restrictions for sensitive personal health data. In this context, missing transparency is dangerous because users may not understand that scanning the QR code enables access to scalp reports and linked account data, increasing the chance of over-collection, misuse, or insecure transmission of sensitive information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script places the authorization token directly in the URL path (`/auth/dt/<token>/list`). Tokens in URLs are commonly exposed through server logs, proxy logs, browser/history equivalents, monitoring systems, and error traces, making credential leakage much more likely than if the token were sent in an Authorization header or request body. In a health-data integration context, leakage of this token could allow unauthorized access to sensitive scalp reports and related personal health information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script explicitly documents that it outputs `rawData` and the full `reports` payload to stdout, which can expose sensitive health-related data to shell history captures, calling processes, logs, observability pipelines, or other local users depending on how the tool is invoked. In this skill's context, report contents are likely personal and health-adjacent, so unrestricted raw output increases the chance of accidental disclosure even if there is no direct remote exploit.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --save is used, the script persists an authorization token and user identifier to disk without any visible consent prompt, disclosure, or protection measures shown in this file. In a health-data linkage skill, locally stored auth tokens can enable continued access to sensitive scalp/health-related account data if the host is shared, compromised, or backups/logging expose the file.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal