ClawHub

CPAP PrismaAPP Log

Security checks across malware telemetry and agentic risk

Overview

This skill transparently fetches a user's CPAP health data and writes local Obsidian notes, with privacy-sensitive behavior that is disclosed and purpose-aligned.

Install only if you are comfortable storing PrismaAPP credentials locally and saving CPAP health data into your Obsidian vault. Protect config.json, keep it out of sync and source control, verify vault_path and log_dir before running backfill, and be cautious if your vault is cloud-synced or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly performs network access to a third-party medical service and writes files into an Obsidian vault, yet no explicit permissions are declared in the manifest. Missing permission declarations weaken review and runtime governance because users and platforms cannot accurately assess or constrain what the skill is allowed to do.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list includes broad natural-language phrases such as "sleep therapy" and "CPAP data" that could match ordinary conversation and cause unintended execution. Because the skill performs both network retrieval of health data and local file writes, accidental triggering could expose sensitive medical information or modify notes without clear user intent.

Vague Triggers

Low
Confidence
78% confidence
Finding
The skill allows "historical backfill" requests without clearly defined bounds, approval requirements, or safeguards. An underspecified backfill flow can lead to unexpectedly large data pulls and many file writes, increasing privacy exposure and the chance of overwriting or cluttering a vault.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal