ClawHub

MedRates.fyi

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for medical price lookups, but it sends potentially sensitive procedure, insurance, and location details to a third-party service without enough privacy guidance.

Review this carefully before installing if users may ask about real medical procedures, insurance plans, or precise locations. Use only the minimum needed information, avoid names or identifiers, prefer coarse location when possible, and confirm before sending sensitive health-related queries to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs sending health-related procedure queries together with insurance and optional location data to a third-party API, but it does not give an explicit privacy warning or minimization guidance. Even if the API is legitimate, these fields can reveal sensitive personal or medical context, so omission of disclosure and caution is a real privacy/security weakness.

External Transmission

Medium
Category
Data Exfiltration
Content
The fastest way to answer "how much does X cost?" is the NLP search:

```bash
curl -X POST https://data.medrates.fyi/api/search/nlp/grouped \
  -H "Content-Type: application/json" \
  -d '{"query": "brain MRI near San Jose with Blue Cross PPO"}'
```
Confidence
90% confidence
Finding
curl -X POST https://data.medrates.fyi/api/search/nlp/grouped \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
The fastest way to answer "how much does X cost?" is the NLP search:

```bash
curl -X POST https://data.medrates.fyi/api/search/nlp/grouped \
  -H "Content-Type: application/json" \
  -d '{"query": "brain MRI near San Jose with Blue Cross PPO"}'
```
Confidence
90% confidence
Finding
https://data.medrates.fyi/

External Transmission

Medium
Category
Data Exfiltration
Content
For exact code lookups with multi-hospital price comparison:

```bash
curl "https://data.medrates.fyi/api/price-quote?codes=70551,70552&lat=37.33&lng=-121.89&payer=Blue+Cross&plan_type=PPO"
```

## Coverage Limitation
Confidence
88% confidence
Finding
https://data.medrates.fyi/

External Transmission

Medium
Category
Data Exfiltration
Content
When presenting results to users, link to the web UI for visual exploration:

- **Procedure page:** `https://data.medrates.fyi/code/{CODE_TYPE}/{CODE}` (e.g. `/code/CPT/70551`)
- **Hospital search:** `https://data.medrates.fyi/search?q={QUERY}`
- **All hospitals:** `https://data.medrates.fyi/hospitals`

## Workflow Recommendations
Confidence
82% confidence
Finding
https://data.medrates.fyi/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal