ClawHub

Dicom Segmentation Api

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible medical-imaging purpose, but the package is incomplete and could expose sensitive DICOM uploads through a broadly bound API with unclear dependency and data-protection controls.

Review the actual api_server.py and requirements.txt before running this skill. Test only with de-identified sample data, bind to localhost unless you intentionally deploy it, and do not use real patient data without authentication, TLS, firewall controls, pinned dependencies, and a clear output cleanup policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly supports DICOM upload and processing but provides no warning that DICOM files often contain protected health information and other sensitive metadata. This omission can lead users to upload real patient data to an API endpoint without understanding privacy, compliance, retention, or transmission risks, which is especially concerning in a medical-imaging context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script automatically runs `pip install -r requirements.txt` when imports fail, which modifies the local Python environment without explicit user consent, confirmation, or isolation. This is risky because installing dependencies from an unpinned or untrusted requirements file can execute arbitrary code through package installation hooks and can also alter system state unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal