ClawHub

Health Management

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs Review because it handles private health data and can automatically back it up to GitHub with broad local Git access.

Install only if you are comfortable storing health records in OpenClaw memory. Keep GitHub backup disabled unless you have reviewed the scripts, use a private dedicated repository and preferably dedicated credentials, verify the exact destination, and do not rely on the supplement dosing content as medical advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document asserts that each user's data is isolated and that there is no cross-user data access, but the declared path pattern uses a free-form {username} component without showing any authorization or path validation controls. In a multi-user health-data skill, that gap can enable unauthorized reads or writes to other users' records if the username is user-influenced or insufficiently constrained.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The file claims health data never leaves the machine except through user-controlled GitHub backup, yet it also declares outbound web_search and web_fetch capability. Even if intended only for nutritional lookup, those network features create an additional exfiltration path because prompts, food logs, or derived health context could be sent externally during analysis.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document gives contradictory statements about API-key handling: it says no API key is required, then says the skill references a key from the environment. This inconsistency undermines trust in the permission model and may mask undeclared secret usage or broader-than-described access to environment credentials.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Documented execution of shell scripts and Git/GitHub CLI commands exceeds the core purpose of analyzing health logs and increases the attack surface substantially. In the context of highly sensitive health data, invoking local scripts and repository tools can expose secrets, alter local configuration, or exfiltrate records if the scripts, paths, or repo settings are unsafe or user-misconfigured.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Dynamic web search introduces undeclared network access and causes user-provided food queries to be sent to external services. While useful for nutrition lookup, it creates privacy and integrity risks: sensitive dietary/health details may leave the local environment, and untrusted search results may be ingested into the food database and reused later.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This reference dataset includes operational instructions telling the agent to invoke web_search and to update its database dynamically, which expands the skill's behavior beyond passive reference content. That creates an integrity and transparency risk: untrusted external content could influence health-related outputs, and the skill may mutate its knowledge base without clear authorization or audit controls.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs backing up supplement data to GitHub, which is an external sharing/storage destination unrelated to the user-facing onboarding flow and not framed as opt-in. Because supplement use and associated health goals are sensitive health data, pushing them to a repository can create unauthorized disclosure, over-retention, and accidental public exposure risks.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file materially expands a general health-management skill into a supplement and quasi-treatment recommendation engine, including concrete dosing, timing, and goal-based protocols. In a non-clinical assistant context, this can drive users toward unsupervised self-medication, contraindicated supplement stacking, or delay of proper medical care.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section includes anti-aging and metabolic interventions such as rapamycin, metformin, DHEA, and melatonin with therapeutic framing, which crosses into medical advice rather than wellness logging. Even with '需医嘱' notes, presenting these agents in recommendation tables normalizes potentially unsafe use of prescription or hormone-active substances without patient history, lab review, or clinician oversight.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The metadata and framing suggest constrained 'supplement management' and medical caution, but the body then provides detailed dose ranges and optimization-oriented recommendations. This mismatch can create false trust, causing users to interpret the content as responsibly bounded when it actually functions as actionable medical guidance.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The usage example explicitly states that supplement/health data is 'securely backed up to GitHub' and shows a successful push, introducing an undisclosed external data transfer outside the stated health-tracking scope. Because the data is health-related and potentially sensitive, depicting automatic exfiltration to a third-party platform without consent, privacy notice, repository visibility details, or access-control explanation is dangerous and can mislead users into sharing sensitive records unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
A GitHub push capability is context-inappropriate for a health assistant because it creates a surprising channel for exporting personal health and supplement logs to a software-development platform unrelated to the user's expected wellness workflow. In this skill context, that mismatch increases risk: users are less likely to anticipate disclosure, assess repository exposure, or understand retention and sharing consequences.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script initializes a Git repository and synchronizes data to a remote origin, which is unrelated to the stated health-management functionality and creates an undisclosed data export path. In a health skill context, this is especially sensitive because backups may contain personal health records, nutrition logs, or supplement data that should not be transmitted externally without explicit consent and tightly scoped controls.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using REPO_URL to set the remote repository allows the script to send backed-up data to an arbitrary external Git endpoint. Because this skill handles health-related information, an attacker or misconfigured environment could exfiltrate highly sensitive user data to infrastructure outside the user's awareness.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Allowing HEALTH_BACKUP_DIR to override the backup location permits writes outside the expected skill data directory. This can lead to unintended file placement, tampering with other repositories or directories, and increases the blast radius if the script runs with elevated permissions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script pushes user health data to a remote Git repository and then queries GitHub metadata via `gh`, which extends data handling beyond a purely local assistant. In a health-management context, exporting sensitive personal health records to a remote code-hosting platform materially increases confidentiality and compliance risk, especially if the repository is misconfigured, shared, or public.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script audits Git, GitHub, SSH, and workspace repository state even though the advertised skill is a health-management assistant. In this context, enumerating developer tooling, backup configuration, and repository metadata expands the skill's access to unrelated environment information and can normalize collection of system details beyond what users would reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Checking for SSH public keys and GitHub CLI authentication reveals whether the host has code-hosting credentials and authenticated access configured. Even without reading private keys, this is sensitive capability discovery that can be used to profile the environment and identify high-value accounts or exfiltration paths, which is not justified by the core health-assistant function.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script can create a GitHub repository, configure it as a remote, and push backup contents for health data, which is an external data publishing capability. In the context of a health-management skill handling sensitive personal information, sending backups to GitHub without prominent consent and risk disclosure can expose private health data to third-party infrastructure or to an incorrectly configured repository.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script reads and displays backup repository and remote URL information, and changes backup paths based on a sourced config file. In a health-data context, coupling user health records to Git/GitHub backup infrastructure increases the risk of accidental disclosure of sensitive repository locations or unsafe backup destinations, especially because the script blindly trusts and sources the config file.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The onboarding flow directs the assistant to automatically run a shell script that inspects Git installation, user config, SSH key presence, GitHub CLI, and repository state before the user has provided explicit informed consent. For a health-management skill, this is out-of-scope system inspection that unnecessarily expands access to local environment details and can expose sensitive metadata about the user's workstation and credentials setup.

Vague Triggers

Medium
Confidence
89% confidence
Finding
An automatic backup after any database modification is too broadly scoped for a skill handling sensitive health data. Without clear exclusions, confirmation flow, or sensitivity checks, routine edits could trigger unintended transmission of personal health information to a remote repository whenever backup is enabled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes automatic GitHub backup of user health data but does not prominently disclose that personal health records may be transmitted to a remote third-party platform. Because the skill handles sensitive health information, insufficient warning and consent around off-device transfer creates a real privacy and compliance risk even if the destination is the user's own repository.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The natural triggers are broad enough to match ordinary health-related conversation, making accidental invocation likely. Because this skill can write local files, query the web, and optionally trigger backup behavior, overbroad activation increases the chance of collecting, storing, or transmitting sensitive health information without a sufficiently clear user action.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The manifest description advertises ambiguous natural-language triggers rather than specific activation boundaries, which can cause unintended routing of common health chat into a stateful skill. In this context, accidental activation is more serious because the skill handles private health data and includes side-effectful capabilities like persistent storage, web search, and optional GitHub backup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal