ClawHub

FHE-as-a-Service

Security checks across malware telemetry and agentic risk

Overview

This skill is a review item because it makes strong encrypted-health-data privacy claims while its examples show clinical values being sent to a third-party API as ordinary JSON.

Review this carefully before installing or using it with real clinical information. Verify the provider, privacy terms, compliance posture, and actual end-to-end encryption design; do not send PHI or patient-derived values unless your organization has approved the service and the data flow. Prefer test or de-identified data, and protect or rotate any API key obtained from the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill repeatedly claims inputs are FHE-encrypted and that the server never sees plaintext, yet the documented compute examples submit ordinary numeric arrays in JSON. This creates a serious mismatch between security claims and actual API usage, which can mislead agents into transmitting sensitive clinical data in plaintext to a third-party endpoint under a false assurance of confidentiality.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The Security section asserts ciphertext-only processing and no plaintext exposure, but the earlier request examples show raw clinical values being posted directly. In a healthcare context, misleading security representations can cause unauthorized disclosure of highly sensitive patient data and improper reliance on regulatory/compliance claims.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to send clinical score inputs and bearer API keys to an external service without a clear warning that sensitive health-related data may leave the local environment. This omission reduces informed consent and increases the chance that an agent will transmit patient data to a third party without appropriate review, de-identification, or approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal