ClawHub

TCM Dietary Therapy

Security checks across malware telemetry and agentic risk

Overview

This skill is mainly a TCM food-therapy helper, but its full documentation also directs agents to read local book folders, learn from websites, and save knowledge on a recurring schedule without clear user approval.

Install only if you intend to use the learning/knowledge-base features and can restrict them to a dedicated, non-sensitive folder. Do not allow automatic daily learning, OCR, website ingestion, or knowledge-base writes unless you explicitly approve the scope each time. Treat its TCM outputs as informational only and consult a qualified clinician for medical decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest frames the skill as a TCM dietary knowledge helper, but the body expands it into social-media copywriting, video-script generation, hot-food search, and content production workflows. This capability drift matters because agents may authorize broader actions than users expect, increasing the chance of unintended browsing, content generation, and downstream misuse under a misleadingly narrow description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims it will automatically read local PDF/text books from a workspace directory and extract/store knowledge, which is materially broader than a consultation assistant role. Autonomous ingestion of local files creates a real risk of unintended access to sensitive documents and persistence of extracted content without clear user approval or scope limitation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill includes website learning and automated food collection features that introduce network access and data-ingestion behaviors not reflected in the manifest description. Undeclared external retrieval broadens the trust boundary, exposing the agent to prompt injection, untrusted content ingestion, and user-surprising network activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README presents diagnosis, syndrome classification, personalized diet plans, health teas, exercises, and even sensitive sexual-health formulas as actionable medical functionality without any visible disclaimer that outputs are informational only and not a substitute for licensed medical care. In a health-focused skill, this omission can cause users to rely on unverified AI guidance for real conditions, delaying proper treatment or encouraging inappropriate self-management.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation says the agent will automatically read PDF/text books from a workspace location, including OCR processing for image PDFs, but provides no user-facing warning about privacy, sensitive content exposure, or retention. Because book directories often contain proprietary, personal, or regulated material, silent ingestion can leak or permanently store data users never intended to share with the skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic daily learning implies continuous recurring access to local files and ongoing persistence of extracted content, yet the skill does not warn users that this monitoring/storage behavior exists. Persistent background ingestion raises the risk of repeated collection of newly added sensitive documents and silent accumulation of private data over time.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal