ClawHub

Claim Expert Digital Employee

Security checks across malware telemetry and agentic risk

Overview

The skill is an insurance-claims workflow that asks agents to process sensitive claim data and perform real business actions, but it is packaged as advisory-only and no-execution.

Review this before installing in any environment connected to real claims systems. It should be treated as an operational insurance workflow, not a harmless reference skill: require secure credential storage, explicit approval before sending data to external APIs, strict access controls for medical and identity data, and confirmation gates before registering, notifying, archiving, or closing cases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest advertises the skill as advisory-only, human-reviewed, and non-executable, but the body defines operational workflows that register claims, query systems, calculate settlements, send notifications, and close cases. This mismatch can cause downstream platforms, reviewers, or users to grant the skill trust or permissions under false assumptions, enabling real-world business actions in a context that appears low-risk.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The security notice explicitly claims no executable code, no persistent storage, no network calls, and no PII/business-data processing, yet later sections instruct running scripts, using APIs, writing audit logs, calling MCP systems, and processing sensitive claims data. This is dangerous because operators and control systems may trust the notice and lower scrutiny while the skill actually performs privileged, privacy-sensitive actions.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
Module 1 tells the agent to execute a local validation script even though the file previously asserts that no code or scripts are executed. Hidden or contradictory execution instructions increase the risk of unauthorized code execution in environments that may have permitted the skill only because it was represented as non-executable.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
Module 2 instructs running multiple Python scripts, providing an API key, invoking an external model service, and writing structured outputs, directly contradicting earlier claims of no code, no network, and no persistence. Because this module handles medical and claims documents, exploitation could expose highly sensitive personal and health data to external services and unreviewed local processing paths.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill asks for an API key as part of normal operation without clearly scoping how the secret is handled, stored, or protected. Requesting user-supplied credentials inside skill content increases the risk of secret leakage, reuse in unintended contexts, or collection by skills not formally designated for secret management.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
Module 2 says personal identity information is only used for the current review and not persistently stored, but it also defines persistent output directories and audit-log retention for at least five years. This inconsistency is dangerous because it obscures actual retention of sensitive identity and medical-processing artifacts, undermining privacy compliance and user expectations.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Module 8 is framed as generating notices and communication scripts, but it also updates case status, archives documents, and generates case summaries, which are operational state-changing actions. This expands the blast radius from document drafting to irreversible business workflow changes, especially if users or systems treat it as a low-risk communications aid.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to provide an API key for analysis without a clear warning about credential-handling risks, scope, storage, or third-party transmission. In a document-processing context involving sensitive medical claims, poor secret-handling guidance can lead to credential disclosure and broader compromise of linked services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal