ClawHub

Tcm Dietary Api

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed remote API client for TCM dietary suggestions, but users should know symptom and search queries are sent to api.tcmplate.com.

Install only if you are comfortable sending symptom descriptions, constitution details, ingredient names, and search terms to api.tcmplate.com. Do not include names, addresses, ID numbers, or other identifiers in free-text fields, because the code filters allowed field names but does not redact sensitive text inside those fields.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly describes sending symptom and health-related data to a remote third-party API, but it does not provide any user-facing privacy notice, data handling disclosure, retention policy, or consent guidance. Because the skill processes potentially sensitive medical information, this omission increases the risk of unintended disclosure and non-compliant handling of personal health data.

Missing User Warnings

High
Confidence
88% confidence
Finding
This function transmits user-supplied disease-related queries to a backend API, which involves sensitive health information. Even though the transport details are abstracted behind _api_request, sending disease data off-device without any visible disclosure, consent flow, or minimization in this skill creates a privacy/security risk because health data is especially sensitive and may be logged, profiled, or mishandled downstream.

External Transmission

Medium
Category
Data Exfiltration
Content
```

```bash
# curl 调用
curl -X POST https://api.tcmplate.com/api/diagnose \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
Confidence
89% confidence
Finding
curl 调用 curl -X POST https://api.tcmplate.com/api/diagnose \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# curl 调用
curl -X POST https://api.tcmplate.com/api/diagnose \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"symptoms":["失眠","心悸","健忘"]}'
Confidence
90% confidence
Finding
https://api.tcmplate.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 辨证诊断
curl -X POST https://api.tcmplate.com/api/diagnose \
  -H "Content-Type: application/json" \
  -d '{"symptoms":["口干","失眠","心烦"]}'
Confidence
88% confidence
Finding
curl -X POST https://api.tcmplate.com/api/diagnose \ -H "Content-Type: application/json" \ -d '{"symptoms":["口干","失眠","心烦"]}' # 知识检索 curl -X POST https://api.tcmplate.com/api/search \ -H "Conte

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 辨证诊断
curl -X POST https://api.tcmplate.com/api/diagnose \
  -H "Content-Type: application/json" \
  -d '{"symptoms":["口干","失眠","心烦"]}'
Confidence
88% confidence
Finding
https://api.tcmplate.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-d '{"symptoms":["口干","失眠","心烦"]}'

# 知识检索
curl -X POST https://api.tcmplate.com/api/search \
  -H "Content-Type: application/json" \
  -d '{"category":"ingredients","keywords":["生姜"]}'
```
Confidence
86% confidence
Finding
https://api.tcmplate.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal