ClawHub
Back to skill

Security audit

HIPAA Patient Comms

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, instruction-only drafting aid for generic patient communications, with privacy caveats but no hidden execution or autonomous sending.

Install only if you want a drafting and review aid for generic healthcare messages. Provide the minimum patient details, limit file access to the drafts you choose, review all output before sending, and rely on your compliance officer or healthcare attorney for HIPAA policy, consent, and approved-channel decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list is broad enough to activate on general healthcare communication requests, not just narrowly scoped HIPAA-safe drafting tasks. That can cause the skill to engage in situations involving regulated patient data or adjacent medical/admin workflows without first confirming authorization, communication channel, or whether the request fits the skill’s safety constraints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill focuses on drafting patient communications but does not explicitly require that users only supply authorized patient data or use approved channels for sensitive information. In a healthcare context, this omission is dangerous because users may paste PHI into prompts or use the skill to prepare messages for insecure channels, creating privacy, compliance, and potential disclosure risks.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.