Back to skill

Security audit

Ultrahuman (OpenClaw)

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Ultrahuman health-summary helper, but it requires trusting local MCP tooling with sensitive health credentials and metrics.

Install only if you are comfortable letting a local mcporter/Ultrahuman MCP setup use your Ultrahuman token and fetch personal health metrics. Review or pin the external Ultrahuman-MCP repository before use, keep tokens out of shared configs and logs, and rotate the token if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of shell commands, reading local config files, and passing environment variables containing credentials, yet it declares no permissions. This creates a transparency and governance gap: users and platforms cannot accurately assess that the skill will access secrets and local files before use.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script silently expands its authority by reading Ultrahuman credentials from ~/.openclaw/openclaw.json when they are not already present in the process environment. That behavior is not obvious from the primary skill purpose and can cause the skill to access personal health data using locally stored secrets without an explicit user action at runtime.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill processes highly sensitive health data and instructs users to provide personal Ultrahuman credentials to an external MCP server workflow, but it gives no privacy warning or disclosure about where that data is sent, logged, or stored. In this context, omission of data-handling and consent guidance increases the risk of unintentional exposure of health information and account secrets.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The script accesses sensitive authentication material from environment variables and local configuration to retrieve personal health data, but it provides no explicit runtime disclosure or consent checkpoint beyond code comments and error messages. In a health-data context, silent use of stored credentials increases privacy risk even if the code does not exfiltrate the secrets directly.

Missing User Warnings

Low
Confidence
72% confidence
Finding
This function makes a network-backed mcporter call to fetch Ultrahuman metrics, which are sensitive health data, without any runtime notice or consent check. While expected for the feature, the absence of execution-time disclosure can lead to unanticipated transmission of personal data to the configured MCP service.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
cfg = json.load(f)
            vars_ = (cfg.get("env") or {}).get("vars") or {}
            if not os.environ.get("ULTRAHUMAN_AUTH_TOKEN") and vars_.get("ULTRAHUMAN_AUTH_TOKEN"):
                os.environ["ULTRAHUMAN_AUTH_TOKEN"] = vars_["ULTRAHUMAN_AUTH_TOKEN"]
            if not os.environ.get("ULTRAHUMAN_USER_EMAIL") and vars_.get("ULTRAHUMAN_USER_EMAIL"):
                os.environ["ULTRAHUMAN_USER_EMAIL"] = vars_["ULTRAHUMAN_USER_EMAIL"]
        except Exception:
Confidence
88% confidence
Finding
os.environ["ULTRAHUMAN_AUTH_TOKEN"]

Unvalidated Output Injection

High
Category
Output Handling
Content
"json",
    ]

    p = subprocess.run(cmd, capture_output=True, text=True)
    if p.returncode != 0:
        raise RuntimeError(
            f"mcporter failed (exit {p.returncode}).\nSTDOUT:\n{p.stdout}\nSTDERR:\n{p.stderr}"
Confidence
82% confidence
Finding
subprocess.run(cmd, capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.