ClawHub
Back to skill

Security audit

Open Health

Security checks across malware telemetry and agentic risk

Overview

This skill is built for real mental-health appointment booking, but it can send sensitive identity and insurance details to a remote public booking API with insufficient user-facing consent and scoping.

Review carefully before installing. Use it only if you trust the Klarity booking endpoint and are comfortable sending mental-health appointment details, full identity, contact information, date of birth, and insurance/member ID to that remote service. Before any real booking, confirm the exact payload and destination with the user, prefer dry-run validation first, and avoid using this skill for general mental-health conversation unless the user clearly asks to find or book care.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands and network access to a live third-party booking API, yet no explicit permissions are declared. In a healthcare booking context, this is especially risky because the workflow handles sensitive patient data and can initiate real-world actions without an enforceable permission boundary or user-visible capability declaration.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition is broad enough to activate on ordinary conversation about mental health topics, which can steer users into a healthcare booking flow even when they were only seeking general discussion. In this domain, over-triggering is more dangerous than usual because it may prompt unnecessary collection of health and insurance information and create confusion in sensitive situations, including crisis-adjacent conversations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API reference instructs clients to transmit highly sensitive personal and insurance data, including full identity, contact details, date of birth, and insurance member ID, while also stating that no authentication is required and providing no privacy, consent, minimization, or secure-handling guidance. In a healthcare booking context, this creates meaningful risk of unauthorized data submission, mishandling of regulated health-related information, and insecure integrations that expose patients to privacy and fraud harms.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends arbitrary appointment JSON to a third-party booking endpoint without any built-in consent prompt, redaction, or warning that sensitive health and insurance information will leave the local environment. In this skill's context, the payload is likely to contain mental-health and insurance data, making silent transmission especially risky from a privacy and compliance perspective.

External Transmission

Medium
Category
Data Exfiltration
Content
url="${BASE_URL}/api/v1/book"
    [ "$command" = "book-dry" ] && url="${url}?mode=dry_run"

    curl -s -X POST \
      -H "Content-Type: application/json" \
      -d "$json" \
      "$url" | python3 -m json.tool
Confidence
97% confidence
Finding
curl -s -X POST \ -H "Content-Type: application/json" \ -d

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
"That slot was just taken — want me to search for the next available?"

On validation error:
Fix and retry. Don't ask the user to re-enter everything.

## Important Rules
Confidence
87% confidence
Finding
Don't ask the user

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal