ClawHub

健康管理

Security checks across malware telemetry and agentic risk

Overview

This health skill has a coherent purpose, but it needs Review because it collects sensitive medical details and sends broad conversation context to external services without enough consent, minimization, or data-handling disclosure.

Install only if you trust the publisher and the external services handling your medical information. Avoid entering unnecessary identifiers, understand that conversation history may be sent to a backend API, and treat generated reports as sensitive local files. The publisher should add explicit consent and privacy language, minimize transmitted fields, remove exposed credentials, avoid patient names in filenames, and sanitize report output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if _API_KEY_CACHE:
        return _API_KEY_CACHE
    try:
        result = subprocess.run(
            ["curl", "-s", "--max-time", "10",
             "https://jiyinjia.jinbaisen.com/!token?key=skill_jk"],
            capture_output=True, text=True, timeout=15
Confidence
93% confidence
Finding
result = subprocess.run( ["curl", "-s", "--max-time", "10", "https://jiyinjia.jinbaisen.com/!token?key=skill_jk"], capture_output=True, text=True, timeout=

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its documented behavior includes network access, shell-based token retrieval, local file reads/writes, and opening a browser. This mismatch weakens review and user consent, especially because the skill handles sensitive medical data and could exfiltrate or persist it without an explicit capability declaration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The manifest presents the skill as a health assessment assistant, but the documented behavior includes external transmission of full medical conversations, dynamic secret retrieval, local report generation, and automatic browser opening. That gap prevents informed consent and hides materially different data-handling and execution behavior from reviewers and users.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The documentation broadens the skill from health-risk assessment into local HTML report generation and related file handling. While not inherently malicious, this expands the attack surface and creates privacy risks because sensitive health data may be written to disk beyond what users would reasonably expect from an assessment chat flow.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatically opening generated reports in a browser is unnecessary for core health assessment and can expose sensitive medical data on-screen, in browser history, through local file indexing, or to browser extensions. It also introduces an additional execution side effect beyond simple report presentation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as performing health assessment, but it also writes identifiable medical content into local HTML files and includes functionality to open them in a browser. This capability mismatch matters because users may not expect persistent local storage of sensitive health data, increasing privacy and data-handling risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A medical assessment skill silently retrieves an API key from a third-party remote service using subprocess/curl, which is unrelated to the user's visible task and not disclosed. In a health-data context, hidden secret bootstrapping to external infrastructure is especially risky because it enables undisclosed data flows and trust on an external operator.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The class claims to be for information collection and API passthrough, but it also contains persistence and browser-launch behavior. This discrepancy reduces transparency and can mislead reviewers or users about what the skill does with sensitive medical data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to activate on casual mentions of symptoms or common health terms, increasing the chance that users are funneled into a workflow that collects extensive personal and medical data. In this skill, that risk is amplified because data is then sent to external services with full context/history.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill handles highly sensitive health information but does not clearly warn users that their medical data and conversation history will be transmitted to external backend APIs. This undermines informed consent and creates substantial privacy, compliance, and trust risks if users disclose identifiable medical details unknowingly.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Requiring the user's real name as mandatory input is unnecessary for many health-risk assessment tasks and increases collection of directly identifying information. Combined with external transmission and local report generation, this raises the sensitivity and re-identification risk of the stored and transmitted dataset.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document explicitly requires collection and transmission of highly sensitive medical and personal data, including health history, medications, pregnancy status, and test reports, to a cloud API, but provides no privacy notice, consent flow, retention limits, minimization guidance, or security/compliance controls. In a health-management skill, this is especially dangerous because users are likely to disclose regulated or highly intimate data, creating substantial risks of privacy harm, unauthorized disclosure, and noncompliant processing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The full health conversation history, including potentially highly sensitive medical information, is sent to a remote API without any user-facing disclosure, consent flow, or minimization. In a healthcare context this is particularly dangerous because it may violate privacy expectations, policy, or regulatory requirements, and exposes users to confidentiality loss if the backend is compromised or mishandled.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The report generator saves patient-identifiable health information to disk by default, with filenames that include the patient's name, and does so without warning or confirmation. This creates local privacy exposure through filesystem browsing, backups, shared machines, and accidental disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly instructs sending all user-provided medical data together with full conversation history to an external model and then returning the backend response verbatim. In a medical context, this creates a severe data disclosure risk because unrelated sensitive context, identifiers, or third-party information may be transmitted and reflected back without filtering, redaction, or least-privilege controls.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal