ClawHub

Pregnancy Care

Security checks across malware telemetry and agentic risk

Overview

This pregnancy tracker is not malicious, but it saves very sensitive pregnancy information locally and tells the agent to create lasting memory without clear consent or deletion controls.

Install only if you are comfortable with pregnancy-related details being saved in local plaintext and potentially remembered by the agent. Use a private workspace, avoid entering unnecessary medical details, and review or remove stored data and any created memory when tracking is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill handles sensitive health data and appears to rely on file read/write capabilities without explicitly declaring permissions or warning users about local persistence. Hidden persistence expands the attack surface and can lead to unintended retention or exposure of pregnancy status, dates, roles, and milestones if the environment, logs, or shared storage are accessible.

Vague Triggers

Medium
Confidence
70% confidence
Finding
Broad examples like responding to generic phrases such as 'I'm pregnant' or 'Update me' can cause the skill to activate in contexts where the user did not intend to start or continue health-data tracking. In a sensitive medical context, accidental activation may prompt collection, inference, or display of private pregnancy information to the wrong user or channel.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description omits a clear privacy warning despite processing highly sensitive health and relationship data across multiple users. Without prominent disclosure, users may not realize that pregnancy status, LMP, roles, and milestones are retained and separated by identifiers, increasing the risk of privacy violations and non-consensual data handling.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions direct the agent to create persistent memory of a birth or pregnancy-ending event without warning or consent. Pregnancy outcomes are extremely sensitive health events, and automatically memorializing them can create lasting privacy harm, especially in shared systems, synced memories, or future interactions where the user did not expect this information to persist.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists highly sensitive reproductive health data, including LMP, pregnancy status, completed medical tasks, and custom milestones, to a predictable plaintext JSON file under a workspace directory without any consent flow, access control, encryption, or minimization. In a multi-user or shared host environment, this increases the risk of privacy exposure through local file access, backups, logs, or accidental disclosure, especially given the sensitivity of pregnancy-related data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal