ClawHub

Supplement Research

Security checks across malware telemetry and agentic risk

Overview

The skill is a legitimate supplement assistant, but it automatically stores sensitive health details and can set up scheduled follow-up messages with insufficient consent and deletion controls.

Install only if you are comfortable with the skill keeping a local plain-text health profile containing supplements, medications, conditions, allergies, goals, preferences, searches, and experiment check-ins. Before using research alerts or experiments, confirm where the files live, how to delete them, and whether scheduled messages are enabled. Avoid sharing sensitive medical details unless you want them retained and potentially reused for later recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This section documents systematic retention of medications, conditions, allergies, goals, preferences, and search history in a persistent local profile, which materially expands the skill from answering supplement questions into building a sensitive health dossier. That scope expansion is dangerous because it increases privacy risk, breach impact, and the chance of using stale or incorrect medical context in later advice.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented cron-based outreach and follow-up workflows change the skill from a reactive advisory tool into a proactive messaging system that can contact users based on retained state. That is a significant behavioral expansion with privacy and trust implications, especially for health-related topics where unsolicited messages can expose sensitive interests or conditions on shared devices.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs the agent to create or modify OpenClaw cron configuration, which is a system-level persistence and scheduled-execution capability unrelated to merely answering supplement questions. This is dangerous because it grants the skill a durable foothold for future execution and messaging, increasing the blast radius if the skill is misused or compromised.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill creates a persistent state directory under the user's home directory and then uses it to retain monitor state, profile data, and experiment artifacts. That goes beyond a stateless supplement lookup helper and introduces ongoing collection/retention of user data, which increases privacy risk and the blast radius of compromise on the local host.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This section persists a detailed health profile including medications, conditions, allergies, goals, and notes into local markdown files. Because these are sensitive health-related data points stored in plain text without meaningful protection or explicit consent flow, the skill creates a privacy and confidentiality vulnerability that is disproportionate to its stated purpose.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill logs user interests, supplement queries, context strings, and search history over time, enabling behavioral profiling unrelated to simple supplement information retrieval. Persistent query/context logging can reveal health concerns, medication interests, and personal patterns even when the user did not intend to create a durable record.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The experiment features persist baseline answers, check-ins, side effects, schedules, and computed verdicts to disk, transforming the tool into a health-tracking system rather than a simple evidence retriever. This materially increases sensitivity because it stores longitudinal health data and generates recommendations like 'stop' or 'clear-win' from local state, which could be exposed or misused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes the skill persistently storing highly sensitive health-related profile data, including supplements, medications, conditions, and preferences, but does not prominently warn users in the user-facing flow that this information is stored locally and retained over time. In a health context, silent persistence increases privacy risk, especially on shared machines, backups, or when users assume the chat is ephemeral.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The README advertises proactive research updates and autonomous follow-up messages, but does not clearly foreground that the agent may initiate contact later without a fresh user request. Even if functionality is legitimate, insufficient disclosure can surprise users and lead to unwanted notifications or disclosures on shared messaging surfaces.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad, everyday language such as 'help', 'what's good for', and 'anything new on', which can cause accidental activation outside the user's intent to invoke a supplement skill. Unintended activation is risky here because the skill can then read/write profile data and perform networked actions in a health context.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs persistent storage of sensitive health information in a local profile without an explicit retention notice, consent flow, or clear limitation on reuse. This is dangerous because users may disclose medications, diagnoses, allergies, and goals expecting conversational assistance, not durable recording and future processing of that data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction to update the profile immediately whenever the user shares information normalizes silent collection of sensitive medical and behavioral data without per-item confirmation. In a supplement/health setting, this can create an extensive record of personal health details that the user never explicitly agreed to retain.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The cron prompt contains an ambiguous delivery rule: it sends a briefing when newStudyCount > 0, but otherwise says to stay silent unless 4+ weeks have passed since the last briefing without defining how that state is tracked or scoped to user consent. In a scheduled messaging context, ambiguity can cause unintended outbound user contact, inconsistent behavior across implementations, and privacy/trust issues because the agent may message users without a clearly bounded trigger.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This cron job is designed to send user-facing research briefings on a schedule, but the manifest snippet does not disclose scheduled outbound messaging or any user opt-in/notice requirement. That creates a real risk of non-consensual notifications, surprise contact, and misuse of health-related interest data, which is especially sensitive in a supplement and wellness context.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sensitive health profile fields are written to local files silently, without any user-facing warning that medications, conditions, allergies, and other personal data will persist on disk. In the context of a supplement skill, that lack of disclosure is dangerous because users may reasonably expect ephemeral assistance, not local medical-style recordkeeping.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Baseline and check-in answers for experiments are persisted to disk without explicit disclosure, even though they may contain sensitive health metrics and side-effect information. Undisclosed retention of longitudinal health observations creates a substantial privacy risk and could surprise users who believe they are only getting temporary coaching or evidence summaries.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The comment indicates the profile is updated automatically whenever a user mentions supplements they take, which creates a broad implicit write trigger on health-profile data. In a supplement/health skill, casual or hypothetical statements can be misinterpreted as facts, causing inaccurate persistence of sensitive medical information and downstream unsafe recommendations or interaction checks.

Missing User Warnings

High
Confidence
95% confidence
Finding
This template is designed to collect and persist highly sensitive health data, including medications, conditions, allergies, and history, but it contains no visible consent, minimization, retention, or privacy-handling guidance. In the healthcare/supplement context, storing this information without explicit disclosure and controls raises significant privacy and safety risk if the data is over-collected, exposed, or reused beyond the user's expectations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The statement 'I remember everything you tell me' encourages over-disclosure and implies broad, indefinite retention of user-provided information without scope limitation. In a supplement and medication advisory skill, that likely includes sensitive health data, increasing privacy and data-minimization risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The README describes automatic saving of supplements, medications, goals, conditions, allergies, and related health context into a persistent user profile. This is sensitive personal and health-adjacent data, and automatic collection without clear consent and lifecycle controls creates a real privacy vulnerability.

Ssd 3

Medium
Confidence
93% confidence
Finding
The always-on Safety Watchdog is described as automatically detecting newly mentioned medications and adding them to persistent tracking. Automatically converting conversational mentions into retained medication records can capture sensitive health information without deliberate consent, which is particularly risky in health-related conversations.

Ssd 3

Medium
Confidence
92% confidence
Finding
The statement that the system 'remembers everything you tell me' implies indefinite retention and unrestricted reuse of user-provided information without minimization boundaries. In a health-adjacent skill, that creates unnecessary privacy exposure and can chill candid disclosures or amplify harm if data is later leaked or misapplied.

Ssd 3

Medium
Confidence
90% confidence
Finding
These directives tell the agent to automatically reuse previously shared stack, medication, and goal data and casually save new state without explicit confirmation. The danger is not just storage itself but normalization of invisible longitudinal profiling in a context involving medications and health concerns.

Ssd 3

Medium
Confidence
95% confidence
Finding
The profile design centralizes a broad set of sensitive health and behavioral attributes over time, creating a rich target for exposure and mission creep. The more comprehensive the record, the greater the harm from unauthorized access, incorrect inference, or future feature expansion beyond the user's expectations.

Ssd 3

Medium
Confidence
96% confidence
Finding
Instructing the agent to log every supplement query builds a behavioral profile of the user's interests, concerns, and possible conditions over time. Even if intended for personalization, this creates non-obvious surveillance of health-adjacent behavior that exceeds what many users would expect from an answer-oriented skill.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal