ClawHub

test

Security checks across malware telemetry and agentic risk

Overview

This Hash Health skill is coherent, but it can read, store, add, and delete sensitive meal and medication records through an external API with limited safeguards.

Install only if you trust Hash Health and the listed Vercel API endpoint with your food, nutrition, and medication information. Before using it, verify your HASH_HEALTH_USER_ID, avoid logging details you do not want stored remotely, and require explicit confirmation before adding or deleting any meal or medication record.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises activation for broad terms like food, meals, eating, nutrition, medications, and health tracking, which can cause it to trigger in many ordinary health-related conversations. In this context, over-broad invocation is risky because the skill is wired to an external health service and may lead to unnecessary handling or transmission of sensitive health and medication data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to send meal, nutrition, medication, and user identifier data to an external API but does not prominently disclose this in the user-facing description. Because the data involved is health-related and potentially highly sensitive, lack of disclosure undermines informed consent and increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents DELETE operations for meals and medications without requiring a final confirmation before execution. In a health-tracking context, accidental deletion can remove nutrition history or medication records, harming record integrity and potentially affecting user decision-making or adherence tracking.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The meal analysis request hard-codes the language to English without checking the user's locale or obtaining consent. This can lead to inaccurate parsing of food names, incorrect nutrition analysis, and poor handling for non-English users, which is especially problematic in a health-related skill where data quality matters.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal