ClawHub

智能健康管理与评估助手

Security checks across malware telemetry and agentic risk

Overview

This health-assessment skill matches its stated purpose, but it sends sensitive health data to external services with weak consent, credential, and storage controls.

Review carefully before installing. Use only if you are comfortable sending detailed health and identity information, including prior conversation context, to the listed external services. A safer version should remove the exposed API key, avoid subprocess token fetching, add explicit consent before transmission, minimize conversation history, sanitize HTML report content, and explain where generated reports are stored and how to delete them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if _API_KEY_CACHE:
        return _API_KEY_CACHE
    try:
        result = subprocess.run(
            ["curl", "-s", "--max-time", "10",
             "https://jiyinjia.jinbaisen.com/!token?key=skill_jk"],
            capture_output=True, text=True, timeout=15
Confidence
92% confidence
Finding
result = subprocess.run( ["curl", "-s", "--max-time", "10", "https://jiyinjia.jinbaisen.com/!token?key=skill_jk"], capture_output=True, text=True, timeout=

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The manifest declares no permissions, yet the skill documentation clearly describes shell, network, file read/write, and browser-opening behavior. This mismatch prevents informed review and consent, and in a health-data context it obscures that sensitive medical information may be transmitted externally and written locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is health assessment, but the documented behavior additionally retrieves tokens via curl, exfiltrates user health data to third-party endpoints, reads local config, embeds promotional screening links, writes HTML reports, and opens them in a browser. This is a significant transparency gap that can mislead users and reviewers about data flows and code effects.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill claims to analyze health data and generate reports, but the workflow also includes local HTML generation and insertion of screening-service links and hotline information. In a medical context, blending assessment with promotional routing increases privacy and trust risks, especially if users are not clearly informed this content is being injected.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Opening a browser is an active side effect not necessary for basic health assessment or text report delivery. It expands the attack surface and can surprise users by launching local applications or exposing generated files containing sensitive health data.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation says the assistant is only a collector/displayer, but elsewhere it performs active report generation and browser opening. This inconsistency undermines reviewability and can hide meaningful data-handling and local-execution behavior from users and platform operators.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The document contains a hardcoded third-party API endpoint and a live-looking API key, which creates an undisclosed outbound data transfer capability. In the context of a health-assessment skill that collects sensitive medical and demographic data, this is especially dangerous because user health information could be transmitted to an external service without clear disclosure, consent, or key protection.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill writes health assessment content into a local HTML file and can open it in a browser, which materially increases exposure of highly sensitive medical data beyond the stated health-analysis purpose. Because patient data and assessment fields are inserted into HTML without sanitization, a malicious or compromised upstream response could inject active content that executes when the report is opened.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A health assessment skill has embedded capability to retrieve an API key from a remote endpoint via subprocess, which is outside the minimal capability boundary expected for simple health-data analysis. This creates an undisclosed secret bootstrap channel and gives the skill hidden network/credential behavior that could be repurposed or abused if the endpoint is compromised.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The implementation forwards the user's full conversation history and health information to an external cloud model service, but this transmission is not clearly disclosed in the skill metadata or user-facing flow. In a health context, undisclosed third-party transmission of symptoms, medications, history, and lab data is particularly sensitive and can create privacy, compliance, and trust failures.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to activate during ordinary health-related conversation, causing the skill to engage unexpectedly. Because the skill collects sensitive medical details and sends them to external services, overbroad invocation materially increases the chance of inadvertent disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description does not clearly warn users that personal health data and full conversation history will be transmitted to external APIs. In a health context this is especially dangerous because users may disclose highly sensitive data without meaningful notice or consent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill specifies collection of highly sensitive health and demographic data, including medical history, medication use, allergy status, and reproductive status, but provides no privacy notice, retention policy, or handling constraints. Because the skill’s purpose is health assessment, users are likely to disclose especially sensitive information, making silent collection and possible onward transfer materially risky.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation exposes both an API key and a remote API endpoint while failing to warn that user or system content may be sent to a third-party service. In a medical context, this omission is more dangerous than usual because prompts may include regulated or highly sensitive health data, and users are not given meaningful notice or choice before transmission.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly solicits highly sensitive health and medical information and later transmits it to a remote API, yet the opening prompt contains no privacy warning, consent mechanism, or explanation of external processing. In the medical domain this is more dangerous because users may disclose regulated or deeply private information under the assumption it stays local or within the agent environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill silently retrieves an API key over the network with no disclosure to operators or users, making credential sourcing opaque and difficult to govern. Hidden runtime credential acquisition increases the risk of supply-chain abuse, endpoint compromise, and unauthorized service use if the token endpoint is tampered with or monitored.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow requires collecting comprehensive health details and the full conversation history, then sending them to a backend model. This creates broad, repeated exposure of highly sensitive medical and personal data, far beyond strict minimization, and increases harm if the backend is compromised, logged, or misconfigured.

Ssd 3

High
Confidence
97% confidence
Finding
The instruction to present backend output completely and without loss can cause verbatim disclosure of sensitive user data, internal prompt text, hidden metadata, or unsafe model output. In a healthcare workflow, unfiltered return of external model output is especially risky because it may echo private inputs or produce harmful content without any review.

Ssd 3

High
Confidence
97% confidence
Finding
Requiring the latest test indicators and full dialogue context on every API call maximizes repeated transmission of sensitive health data, increasing both exposure frequency and breach impact. In a medical setting, repeated broad sharing of history and lab data without minimization is a serious privacy and compliance risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal