Health Report

Security checks across malware telemetry and agentic risk

Overview

This health-report skill does what it claims, but it handles sensitive health data and has default AI/search/outbound paths that deserve careful review before installation.

Install only if you are comfortable with health records being used in AI prompts and potentially sent to configured messaging platforms and Tavily/OpenClaw agent workflows. Use a dedicated MEMORY_DIR, avoid public REPORT_BASE_URL exposure for private PDFs, configure only the outbound channels you truly need, rotate webhook/bot/API keys, and review generated logs/reports for sensitive content.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (19)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for attempt in range(3): try: result = subprocess.run( ['openclaw', 'agent', '--local', '--to', '+860000000000', '--message', prompt], capture_output=True, text=True, timeout=90, env={**os.environ, 'SYSTEM_PROMPT': '你是一位专业的私人营养师，专门服务胆结石患者。'}
Confidence: 95% confidence
Finding: result = subprocess.run( ['openclaw', 'agent', '--local', '--to', '+860000000000', '--message', prompt], capture_output=True, text=True, timeout=90,

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for attempt in range(3): try: result = subprocess.run( ['openclaw', 'agent', '--local', '--to', '+860000000000', '--message', prompt], capture_output=True, text=True, timeout=90, env={**os.environ, 'SYSTEM_PROMPT': '你是一位专业的私人营养师。输出纯 JSON，不要其他文字。'}
Confidence: 95% confidence
Finding: result = subprocess.run( ['openclaw', 'agent', '--local', '--to', '+860000000000', '--message', prompt], capture_output=True, text=True, timeout=90,

Tainted flow: 'req' from os.environ.get (line 451, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: "max_results": max_results }).encode('utf-8') req = urllib.request.Request(url, data=data, headers={'Content-Type': 'application/json'}) resp = urllib.request.urlopen(req, timeout=60) result = json.loads(resp.read().decode('utf-8')) return result.get('results', []) except Exception as e:
Confidence: 97% confidence
Finding: resp = urllib.request.urlopen(req, timeout=60)

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script loads a shared .env file and then uses messaging-related secrets to deliver generated health data to external services. Even if intended for notification, this expands the skill from local report generation into credential-backed exfiltration of potentially sensitive health information, which is risky when not narrowly scoped or explicitly disclosed.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script transmits the generated health report to DingTalk, Feishu, and Telegram, sending potentially sensitive personal data to multiple third-party endpoints. In a health-reporting context, outbound multi-channel delivery materially increases exposure, retention, and accidental disclosure risk.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The health report generator performs external web search unrelated to basic local PDF/text generation, which broadens data exposure and dependency risk. In a health-reporting skill, adding undisclosed third-party enrichment is more dangerous because it can leak sensitive medical context and make behavior inconsistent with user expectations.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Executing a subprocess-based agent command for commentary is risky because it invokes an untrusted secondary system and passes sensitive health data into it. In this skill context, the capability is not essential to core report generation and creates unnecessary exfiltration and content-injection risk.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The module's safety/compliance claims state that when webhooks are not configured the system only generates local PDFs, but the code still performs Tavily network calls and external agent operations regardless. This mismatch can mislead operators into believing no sensitive health data leaves the host when in fact it may be transmitted externally.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The manifest advertises outbound webhook and bot integrations for DingTalk, Feishu, and Telegram while the skill processes sensitive health-report data, but it does not disclose data-sharing behavior or obtain explicit user consent. In a health context, silent transmission to external services can expose medical, dietary, and wellness information to third parties, making this materially more dangerous than a generic notification feature.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script sends health report contents to external services without any user-facing warning, confirmation, or consent flow. Silent transmission of sensitive health data is dangerous because users may reasonably assume the report stays local while it is actually disclosed to third parties.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The subprocess invocation sends detailed health metrics, symptoms, and condition-specific context to an external agent without a clear user-facing warning or consent flow. Because the data is medical in nature, this disclosure is especially sensitive and can create privacy, compliance, and secondary-use risks.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The Tavily request transmits query data and API credentials without an explicit user disclosure mechanism. In this health-reporting context, even derived shortcoming queries can reveal medical or lifestyle information that users may reasonably expect to remain local.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The second agent subprocess shares health-derived planning context externally without a clear warning, repeating the same privacy issue in another execution path. Because it includes user profile and shortcomings, it increases the scope of sensitive data disclosed and compounds compliance risk.

Ssd 3

High

Confidence: 98% confidence
Finding: Sensitive health memory contents are embedded into prompts and report text in plain language, exposing condition, symptoms, intake, and activity details broadly. In a medical-report skill this is especially dangerous because downstream logs, subprocesses, terminals, PDFs, and other systems may retain or redistribute the data.

Ssd 3

High

Confidence: 98% confidence
Finding: The next-day planning prompt includes private profile data, allergies, food preferences, condition, and health shortcomings, all of which are sensitive and unnecessary in full fidelity for external model use. This creates unnecessary disclosure risk and can expose highly personal health-related information to third parties or logs.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # 安装：pip install -r requirements.txt # PDF 生成 reportlab>=4.0.0 Pillow>=10.0.0 # 可选依赖（用于高级功能）
Confidence: 91% confidence
Finding: reportlab>=4.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # PDF 生成 reportlab>=4.0.0 Pillow>=10.0.0 # 可选依赖（用于高级功能） # requests>=2.31.0 # HTTP 请求（如需网络功能）
Confidence: 92% confidence
Finding: Pillow>=10.0.0

Known Vulnerable Dependency: reportlab — 6 advisory(ies): CVE-2023-33733 (Reportlab vulnerable to remote code execution); CVE-2020-28463 (Server-side Request Forgery (SSRF) via img tags in reportlab); CVE-2019-19450 (ReportLab vulnerable to remote code execution via paraparser) +3 more

Critical

Category: Supply Chain
Confidence: 94% confidence
Finding: reportlab

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 93% confidence
Finding: Pillow

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal