ClawHub

VetClaw Bundle

Security checks across malware telemetry and agentic risk

Overview

VetClaw is a coherent veterinary clinic automation bundle, but it needs Review because it stores and exposes sensitive clinic data, can mutate records, and under-discloses external AI and messaging data flows.

Install only after treating this as a real clinic system, not a simple chatbot. Put it behind authentication, restrict who can access records and reports, add confirmation before record writes or appointments, define retention/deletion for stored chats and records, and do not configure DeepSeek, SMS, or WeChat keys unless customers and staff have been told what data may be sent and have appropriate consent/opt-out controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (83)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises substantial capabilities such as environment access, file I/O, networking, and shell-like behavior without declaring permissions. This creates a trust and review gap: operators may install or run the skill assuming a narrower capability set than it actually needs, which is especially risky in a veterinary context handling customer and medical data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose frames the bundle as clinic automation, but the observed behavior includes persistent SQLite storage, HTTP API endpoints, conversation logging/history, and outbound LLM API access that materially expand the attack surface. Undisclosed retention and network transmission of client, pet, and medical-interaction data can expose sensitive information and lead to unsafe deployment assumptions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The conversation-history endpoint returns full stored chat logs for any caller who knows or guesses a session_id, with no authentication or authorization checks. In a veterinary context, those chats can contain personal data, pet health details, appointments, and triage content, making this an exposure of sensitive medical and customer information.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The medical-record lookup handler returns recent records, and even all recent records when no pet name is supplied, without verifying the requester’s identity or relationship to the patient. This enables unauthorized disclosure of veterinary medical records and associated pet information, which is especially risky because the app is explicitly designed for clinic operations and stores real client data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented trigger phrases are very broad terms like symptoms or everyday service words, which can cause accidental activation of high-impact workflows such as emergency triage, appointment handling, record lookup, or knowledge responses. In a veterinary clinic context, ambiguous activation increases the chance of misrouting user intent, exposing sensitive data, or generating inappropriate medical or operational actions without clear user confirmation.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Using the AI front desk as a default route means unmatched or ambiguous user input may be automatically handled by a catch-all LLM-driven workflow. In a clinic setting, this can result in unauthorized handling of personal or medical information, incorrect emergency guidance, or unintended business actions because the system lacks a clearly bounded activation condition.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes automation of client intake, medical records, scheduling, payments, reminders, and knowledge workflows involving clinic and customer data, but it does not mention privacy boundaries, consent, retention, access control, or data handling risks. In a veterinary practice, this can lead deployers to process personal, payment, and potentially regulated medical information without adequate safeguards or user awareness.

Vague Triggers

Medium
Confidence
72% confidence
Finding
Using the broad trigger word '登记' can cause accidental activation during unrelated front-desk conversations. In a workflow that stores client and pet information, unintended triggering may result in unnecessary data collection, wrong record creation, or confusing automated actions.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The trigger terms '预约', '挂号', and '看诊' are common conversational words and may fire outside a true scheduling intent. This can lead to unintended appointment workflows, improper notification sending, or incorrect handling of clinic operations.

Vague Triggers

High
Confidence
89% confidence
Finding
A single-character trigger like '急' is excessively ambiguous and can activate emergency triage behavior during ordinary conversation. In a medical-adjacent setting, false emergency routing or advice can disrupt care workflows, alarm users, or delay appropriate human review.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that collected customer and pet data will be automatically stored in a database, but it does not clearly warn users about persistence of personal information. This undermines informed consent and increases privacy and compliance risk, particularly for contact details and medical-related records.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The appointment skill says it will send confirmation notifications but does not clearly inform users that customer contact details will be used for outbound messaging. This can cause privacy violations, unexpected communications, and consent issues if notifications are sent automatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The sample dialogue explicitly collects and echoes back a person's name, phone number, and pet medical/profile details without any notice about consent, retention, masking, or handling of sensitive data. In a veterinary workflow this is contextually plausible, but publishing examples that normalize full PII display can encourage downstream implementations that over-collect, over-expose, or log sensitive customer records insecurely.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The conversation states that SMS reminders will be sent using the customer's contact details, but it does not mention consent, opt-in, or how the phone number will be used for outbound messaging. This is less severe than direct data exposure, but it can lead to privacy, compliance, and user-trust issues if implementers assume reminders may be sent automatically without explicit authorization.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow automates birthday SMS, churn-based outreach, and WeChat pushes using customer and pet data, but it does not mention consent, opt-out handling, or privacy/compliance safeguards. In a veterinary clinic context, this can lead to unauthorized marketing contact, misuse of personal data, and regulatory or reputational harm if customers are messaged without clear permission.

Missing User Warnings

High
Confidence
94% confidence
Finding
User messages are sent to an external LLM provider with no visible consent, notice, or filtering, and those messages may contain client names, phone numbers, pet symptoms, or lab results. In a clinic setting this creates a significant privacy and compliance risk because sensitive medical and customer data is being disclosed to a third party outside the application boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The application persistently stores user and assistant conversation content, including potentially sensitive health and contact information, without any notice, retention policy, or apparent access controls. Even if storage is operationally useful, silent retention increases privacy risk and magnifies the impact of any later data exposure.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases "预约", "挂号", and especially the very common term "看诊" are broad enough to appear in ordinary conversation, which can cause unintended activation of the appointment workflow. In a veterinary clinic context, accidental activation could lead to unwanted scheduling actions, exposure of patient-related data, or confusing operational side effects if the skill is connected to backend systems.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill declares it is 'auto-triggered' and also says users can 'input a trigger word', but it never defines the actual trigger phrases or the scope of activation. This ambiguity can cause unintended execution in normal conversations, leading to accidental customer outreach or processing of pet/customer data without clear user intent, which is more concerning in a veterinary workflow that may touch personal information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases "促销" and "活动" are generic terms that are likely to appear in normal discussion, which can cause accidental or unintended skill activation. In an automation context, broad triggers increase the risk of the agent performing business actions or generating operational outputs without sufficiently clear user intent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The statement that the AI will "auto-detect intent and execute corresponding operations" does not define what inputs activate the skill or what actions are allowed. This ambiguity can lead to misfires, prompt confusion, and unintended execution paths, especially in a system handling scheduling, records, or customer operations for a veterinary business.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger words "病例" and especially "案例" are broad, common Chinese terms that can appear in ordinary veterinary discussions, making unintended activation plausible. In an automation skill that may access case libraries or return structured records, accidental invocation can cause workflow confusion, unintended data exposure, or actions being taken in the wrong context.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases "流失" and "久未复诊" are broad and the skill does not define clear activation boundaries, inputs, or guardrails. In a veterinary workflow, this can cause unintended invocation on ordinary conversations about patient follow-up or churn, potentially leading to inappropriate automated actions or exposure of sensitive client/patient data in the wrong context.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases "年检" and "资质" are generic and the document does not define clear activation boundaries, required user context, or confirmation steps before execution. In an automation skill for veterinary compliance workflows, this can cause unintended invocation, misrouting of user requests, or premature compliance-related actions based on ambiguous input.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase "日报" is very generic and likely to appear in ordinary conversation, which can cause the skill to activate when the user did not intend to invoke it. In a veterinary operations context, unintended activation could expose business metrics, generate incorrect reports, or interfere with workflow automation tied to revenue reporting.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal