ClawHub

medical-device-code-review

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only medical-device code review checklist, with no executable code, persistence, credential use, or data-sharing behavior.

Safe to install as a structured review aid. Treat its medical-device compliance output as an engineering checklist, not a substitute for qualified regulatory, clinical safety, or legal review; be aware it may activate on broad code-review wording and may default to China/NMPA assumptions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes very broad everyday phrases such as '帮我看看代码', '有bug吗', and '代码有问题吗', which can cause the skill to activate for generic requests that are not specifically about regulated medical-device review. In an agent system, this overbroad invocation can route ordinary coding tasks into a specialized medical-compliance workflow, creating misapplication risk, incorrect assumptions about device-critical context, and unintended disclosure of code to the skill.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The description is entirely Chinese and framed around Chinese regulatory review requirements without indicating fallback behavior or obtaining user language/jurisdiction preference. This can cause the skill to respond in an unexpected language or impose China-specific compliance assumptions on users seeking general code review, reducing usability and potentially leading to incorrect regulatory guidance.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal