ClawHub

Bytesagain Clinical Brief

Security checks across malware telemetry and agentic risk

Overview

The skill is a local medical-note formatting helper with no evidence of network exfiltration or destructive behavior, but clinical data entered into it may appear in command history and terminal output.

Install only if you are comfortable processing clinical text locally in this terminal environment. Prefer de-identified notes and lab values, avoid names, record numbers, exact dates, or other patient identifiers, and do not use it for regulated patient data unless your shell history, logs, screenshots, and terminal transcripts are handled under appropriate privacy controls. Treat its medical output as a drafting aid for qualified review, not clinical decision support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly invites users to submit raw clinical notes and lab results, which commonly contain protected health information, but provides no privacy handling guidance, de-identification requirement, storage/transmission warning, or minimum-safe-use instructions. In a medical context, this omission materially increases the risk of exposing sensitive patient data to downstream systems, logs, shell history, or third-party services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script prints raw clinical notes directly into terminal output, which can expose protected health information to shell history captures, terminal scrollback, logs, screenshots, or downstream tooling that records command output. In a clinical-note summarization skill, this is especially sensitive because users are likely to paste identifiable patient data, so echoing it back materially increases disclosure risk even if there is no network exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The lab command echoes the full results string back to output, which can reveal sensitive medical information and potentially identifying context if captured in terminal logs or shared outputs. Because this skill is explicitly designed to process clinical and lab data, the context makes inadvertent exposure more dangerous than in a generic text-processing tool.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal