ClawHub

FHIR Questionnaire Designer

Security checks across malware telemetry and agentic risk

Overview

The skill’s behavior matches its stated purpose: it helps build and validate FHIR questionnaires using disclosed local scripts and official terminology lookups.

Install only if you are comfortable with local Python scripts that query external terminology servers and create or validate JSON files. Do not include patient identifiers or sensitive clinical narratives in lookup terms, and use simple safe IDs plus a deliberate output directory when generating custom CodeSystem or ValueSet files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Tainted flow: 'codesystem_file' from input (line 344, user input) → open (file write)

Medium
Category
Data Flow
Content
codesystem_file = output_dir / f"CodeSystem-{id}.json"
    valueset_file = output_dir / f"ValueSet-vs-{id}.json"

    with open(codesystem_file, 'w') as f:
        json.dump(codesystem, f, indent=2)

    with open(valueset_file, 'w') as f:
Confidence
96% confidence
Finding
with open(codesystem_file, 'w') as f:

Tainted flow: 'valueset_file' from input (line 345, user input) → open (file write)

Medium
Category
Data Flow
Content
with open(codesystem_file, 'w') as f:
        json.dump(codesystem, f, indent=2)

    with open(valueset_file, 'w') as f:
        json.dump(valueset, f, indent=2)

    # Success message
Confidence
96% confidence
Finding
with open(valueset_file, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation directs use of local scripts that read and write files, access the network, and likely manage dependencies, but the metadata declares no permissions. This creates a transparency and consent problem: an agent or user may invoke the skill expecting documentation-only behavior while it actually performs filesystem and outbound network operations to external terminology servers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The declared description understates the actual behavior by omitting validation, code extraction from existing files, custom CodeSystem/ValueSet generation, generic ValueSet expansion, and environment setup. That mismatch can mislead users and automation about the skill’s operational scope, increasing the chance that broader file, network, and write-capable actions are executed without informed approval.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The script transmits the raw user-provided search query to a third-party service at clinicaltables.nlm.nih.gov without any explicit notice, consent prompt, or redaction. In a healthcare-oriented tool, queries may contain sensitive clinical terms, patient descriptors, or other regulated information, so this creates a privacy and data-handling risk even though it uses HTTPS and appears functionally necessary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal