ClawHub

Bio Ontology Mapper

Security checks across malware telemetry and agentic risk

Overview

This skill is a purpose-aligned biomedical terminology mapper, with clear privacy cautions for sensitive clinical text.

Install only if you are comfortable with a tool that can run a local Python mapper, read input files, write outputs, and optionally query NLM ontology APIs. For clinical notes or study data, de-identify PHI first, avoid API mode when policy requires local-only processing, and review low-confidence mappings with a qualified domain expert.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Granting Bash execution to a biomedical text normalization skill is broader than necessary for its stated purpose and expands the attack surface substantially. If the skill processes untrusted input or is chained with other tools, shell capability can be abused for command execution, data exfiltration, or filesystem manipulation far beyond ontology mapping.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
Granting Bash execution to a biomedical text normalization skill is broader than necessary for its stated purpose and expands the attack surface substantially. If the skill processes untrusted input or is chained with other tools, shell capability can be abused for command execution, data exfiltration, or filesystem manipulation far beyond ontology mapping.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When API usage is enabled, user-supplied biomedical terms are sent to external UMLS services. In this skill context, inputs may contain protected health information or sensitive clinical text, so transmitting them to third-party services without an explicit privacy notice, consent flow, or sanitization creates a real confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The MeSH lookup sends raw user-provided biomedical terms to an external NLM endpoint. Because this tool is designed for biomedical terminology normalization, the surrounding context makes sensitive medical inputs more likely, increasing the chance of privacy leakage even though the transport is HTTPS.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal