ClawHub

WHO Growth Charts

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it generates WHO child growth charts, with disclosed WHO downloads and local chart/cache files.

Install only if you are comfortable with Python plotting dependencies, one-way downloads from cdn.who.int, and local storage of child growth charts. Treat generated PNGs and any measurement JSON files as private health information, and clear the who-growth-charts cache/output directory when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and relies on network access and local file writes, but no explicit permissions are declared. That creates a transparency and consent problem: an agent or user may invoke a seemingly harmless charting skill without realizing it will fetch remote data, inspect environment/workspace context, and persist files locally. In this context the behavior is plausibly legitimate, but undeclared capabilities still increase risk because they enable unexpected external access and data persistence.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The description includes broad triggers such as child growth tracking, percentiles, and growth charts for kids, which could cause over-selection in loosely matched routing systems. This is not directly exploitable like code execution, but it can lead to unintended invocation of a skill that performs network access and file writes, making the broad phrasing more concerning in context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown says the skill downloads WHO data on demand and caches it locally, but it does not clearly warn users about outbound network access or local persistence at invocation time. This can surprise users, leak usage metadata to a remote host, and leave cached artifacts in the workspace without informed consent. The WHO-source context lowers suspicion of maliciousness, but the privacy and transparency issue remains real.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal