ClawHub

Api Odontosoft

Security checks across malware telemetry and agentic risk

Overview

This dental scheduling skill appears purpose-aligned, but it handles patient-identifying health data and can create appointments without clear privacy, consent, or scoping guidance.

Install only if the operator is authorized to access the Odontosoft account and handle patient data. Use least-privileged credentials, confirm patient lookup and appointment creation with the user, avoid logging document numbers or appointment details, and ensure your deployment meets applicable healthcare privacy and consent requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents operations involving patient lookup by document number and appointment scheduling through an external API, but it does not clearly warn that the skill handles patient-identifying and healthcare-related data. This can lead operators to enable or use the skill without understanding privacy, consent, logging, and compliance implications, increasing the risk of inappropriate disclosure of sensitive personal data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks operators to configure an API token and describes functions that search patients and schedule appointments, but it does not prominently warn that it will access potentially sensitive health-related patient data in an external system. In a healthcare context, this lack of disclosure and consent framing increases privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest enables lookup of patients by document number and scheduling of dental appointments over the network, which involves handling health-related and identifying personal data. Without any user-facing warning, consent guidance, or data-handling notice, users and operators may unknowingly expose sensitive information to a remote service, increasing privacy and compliance risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal