medication-clock

Security checks across malware telemetry and agentic risk

Overview

This looks like a coherent local medication reminder, but it needs Review because some included scripts can modify sensitive medication records in under-scoped ways.

Install only if you are comfortable storing medication history locally under ~/.openclaw/medication_data. Review file permissions, keep CSV exports out of shared or synced folders unless intended, and avoid running test_system.py or its --cleanup option against real records unless you have verified the backup and accept that records may be reset.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no permissions while its documented behavior requires shell execution and local file read/write access. That mismatch can bypass user expectations and platform trust decisions, especially because it handles sensitive medication history and persists data locally.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The published description understates the actual behavior by omitting persistent configuration changes, local data creation under user directories, external command invocation, and multi-channel message generation. This is dangerous because users may consent to a simple reminder tool without understanding that it modifies local state and executes additional system-level behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The manifest declares execute_command for a medication reminder and record-keeping skill, but that capability is not necessary for the stated purpose. Unneeded command execution materially expands the attack surface: if prompted or misused, the skill could run arbitrary system commands unrelated to medication tracking, leading to host compromise or unauthorized actions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The export_to_csv method accepts a caller-controlled output_path and writes directly to it without restricting the destination to the skill's data directory. In an agent context, this enables arbitrary file write/overwrite behavior that exceeds the expected scope of a medication reminder and could clobber user files or place data in unintended locations.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The cleanup routine operates on the user's real application data directory under ~/.openclaw/medication_data, creates backups of those records, and then overwrites production JSON files with reset values. In a medication-tracking context, altering adherence history is safety-relevant because it can destroy or falsify health records rather than merely removing isolated test artifacts.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The function is labeled as 'cleaning test data,' but it actually backs up and resets official medication-records.json, stats.json, and settings-related files in the live data directory. This mismatch increases the chance that a user or operator will consent to an action they believe is harmless, leading to unintended loss or corruption of real medication history.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill stores sensitive health-related medication history and automatically creates local data files, but the user-facing description does not prominently warn about this. Medication adherence data is privacy-sensitive, and silent persistence increases the risk of unintended disclosure on shared machines or backups.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises file-writing and command-execution capabilities without warning users that it can modify local files or affect the host system. In a health-oriented reminder tool, this mismatch can mislead users into granting trust they would not give to a system-level utility, increasing the chance of unsafe execution and unnoticed side effects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal