ClawHub

Google Health

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only Google Health data extractor, but it handles sensitive health/profile data and should be used narrowly.

Install only if you are comfortable granting read-only access to Google Health, including profile/settings and health metrics. Keep the OAuth client secret and token cache private, avoid changing the base URL or scopes unless you trust the destination, and ask agents to limit date ranges and not log or forward raw health JSON unless explicitly needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The metadata advertises mutating capabilities such as create, update, and batchDelete for several health data types, directly contradicting the skill description that claims the client is read-only and does no writing. In an agent setting, capability metadata is often used to decide what actions are allowed, so this mismatch can enable unauthorized modification or deletion of sensitive health records if the underlying client or future code paths honor these operations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest promises only GET access to read-only v4 API paths, but the datatype definitions enumerate non-GET mutating operations for multiple resources such as exercise, sleep, weight, and body-fat records. This creates a dangerous trust-boundary violation: agents, reviewers, or orchestration layers may treat the skill as safe/read-only while hidden or latent metadata suggests write/delete behavior against highly sensitive health data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that stdout contains raw Google Health data as JSON, but it does not provide a prominent privacy warning or guidance that downstream agents may log, summarize, transmit, or persist stdout. Because the data includes sensitive health information, exposing it by default over the normal agent output channel materially increases the risk of unintended disclosure in multi-tool or logged environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `api get <path>` escape hatch allows retrieval of arbitrary read-only v4 endpoints, including profile and settings data, but the documentation frames it as a convenience feature without a strong warning about the sensitivity of those responses. In an agent context, this broadens access beyond narrowly typed health metrics and can lead to over-collection or disclosure of personal profile information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal