ClawHub

Health Mate

Security checks across malware telemetry and agentic risk

Overview

This health-report skill mostly matches its stated purpose, but it needs Review because crafted report text can become local Python code in its shell runners and sensitive health data flows lack strong guardrails.

Install only if you are comfortable reviewing and controlling the runtime configuration. Keep MEMORY_DIR narrowly scoped, keep config/.env private and trusted, leave Tavily, webhooks, REPORT_WEB_DIR, and REPORT_BASE_URL unset unless you intentionally want those external/public flows, and avoid scheduled shell-runner delivery until the heredoc interpolation bug is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for attempt in range(max_attempts):
        try:
            result = subprocess.run(
                [openclaw_bin, 'agent', '--local', '--to', '+860000000000', '--message', prompt],
                capture_output=True,
                text=True,
Confidence
82% confidence
Finding
result = subprocess.run( [openclaw_bin, 'agent', '--local', '--to', '+860000000000', '--message', prompt], capture_output=True, text=True,

Tainted flow: 'web_pdf_path' from os.environ.get (line 3451, credential/environment) → shutil.copy2 (file write)

Medium
Category
Data Flow
Content
if web_dir and os.path.exists(web_dir) and base_url:
        filename = os.path.basename(local_pdf_path)
        web_pdf_path = os.path.join(web_dir, filename)
        shutil.copy2(local_pdf_path, web_pdf_path)
        return f"{base_url}/{filename}"
    return local_pdf_path
Confidence
87% confidence
Finding
shutil.copy2(local_pdf_path, web_pdf_path)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill description understates sensitive behavior by framing the tool as a local health-report generator while the documented functionality includes provider/hospital recommendation flows, optional external retrieval/ranking, and analysis of additional medical-history files. That mismatch can mislead reviewers and users about the scope of medical-data processing and external lookups, reducing informed consent and increasing the chance that sensitive health context is handled or transmitted unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The function accepts caller-controlled memory_dir and output_path values and uses them directly for file reads and writes without constraining them to an approved base directory. In a skill that handles sensitive health logs, this can enable unintended access to arbitrary local files or writing archives to unexpected locations if an untrusted caller or misconfiguration supplies crafted paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script accepts memory_file from argv and reads it directly, but does not enforce that the path stays within the configured MEMORY_DIR despite the skill description claiming that boundary. An attacker or confused caller can point the script at any readable local file, causing unintended disclosure of arbitrary local content through parsing, generated reports, and downstream LLM prompts.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill enumerates and executes an external OpenClaw binary to generate commentary and plans, which expands the trust boundary beyond the Python script. Because the prompts contain structured health data and the binary is discovered from mutable system locations, a malicious replacement binary could both execute code and capture sensitive user information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script accepts arbitrary command-line source and output paths and resolves them directly, rather than enforcing that reads come from the configured memory directory and writes stay within a project-local output directory. In a health-log skill, this weak boundary can expose or overwrite sensitive personal files if the script is invoked with unexpected paths, making the manifest's stated data-locality guarantees unenforceable.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This reporting script goes beyond summarizing logs and performs medical care routing, including deciding when the user 'needs followup' and assembling provider recommendations. In a health-report skill, that materially expands capability and risk because it can influence medical decisions without clear safety controls, authorization boundaries, or clinical validation shown here.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code uses local LLM output plus Tavily search results to generate, normalize, rank, and present named hospital and doctor recommendations. That is a sensitive, high-consequence function unrelated to basic report rendering, and errors, hallucinations, or stale search data could directly steer users toward inappropriate care choices.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script can publish generated reports by copying them into a web-facing directory and returning a public URL, which exceeds a local-only reporting expectation. In the context of monthly health reports, that creates a real confidentiality risk because deployment configuration alone can turn local artifacts into remotely accessible records.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code serializes medication, symptoms, weight, and other health-related records to JSON on disk with no consent prompt, sensitivity warning, retention control, or file-permission hardening. In the context of a health-report skill, this increases the risk of privacy exposure through accidental persistence, backups, broad filesystem access, or later exfiltration by other local processes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code conditionally downloads a font over the network at runtime and writes it into the local assets directory without any integrity verification, signature check, or explicit user-visible disclosure at the time of download. If the remote source is compromised or traffic is intercepted in an environment with weak TLS trust controls, the application could persist attacker-controlled font data locally, creating a supply-chain risk and potentially exposing downstream font-parsing components to malformed or malicious files.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The code forms search queries from condition/health context and sends them to Tavily when an API key is configured, creating external transmission of potentially sensitive medical-context data. In a health-report skill, even partial condition-linked queries can expose protected personal context, making this more sensitive than generic web search.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script sends full prompts and system prompts containing health-derived content to a separate OpenClaw process without any trust or disclosure controls at this call site. Even if nominally 'local', this is still a cross-process disclosure of sensitive data and may involve plugins or binaries outside the author's control.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically creates the output directory and writes per-day health report files, potentially overwriting existing files, without confirmation, backup, or a warning that the generated content contains sensitive medical and lifestyle data. In this context, silent file creation and replacement increases privacy and integrity risk because users may unintentionally duplicate or expose health records in additional locations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The wizard collects highly sensitive personal data including health conditions, weight, allergies, and residence details, then persists them to config/user_config.json without an explicit privacy notice, consent prompt, retention guidance, or file-permission hardening. In a local agent skill, this increases the risk of unintended disclosure through backups, source control mistakes, shared machines, or overly broad filesystem permissions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Sensitive monthly health PDFs are copied to a web directory and exposed through a returned URL, but this file does not show any user warning, confirmation, or privacy notice at the point of disclosure. For medical content, silent publication is especially risky because users may assume output remains local while it becomes reachable through web infrastructure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The prompts sent to run_local_llm and Tavily include detailed residence, conditions, symptom counts, monitoring, and follow-up context, which are sensitive health and personal data. This file does not show an in-flow disclosure, minimization, or consent check before transmitting that data to external search services or even secondary AI components, creating privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal