ClawHub

Pilot Healthcare Triage Setup

Security checks across malware telemetry and agentic risk

Overview

This healthcare triage setup is coherent, but it handles sensitive patient data while overstating HIPAA readiness and omitting basic privacy and deployment safeguards.

Review carefully before installing. Use only synthetic data until your organization has verified encryption, access controls, audit retention, credential handling, EHR/calendar agreements, and legal/compliance approval. Do not rely on this skill's HIPAA wording as proof that the resulting deployment is compliant.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill explicitly markets the records component as 'HIPAA-compliant' but only provisions generic agents, logging, data flows, and certificate management references without defining required administrative, technical, and operational safeguards. In a healthcare context, overstating compliance can lead operators to process PHI under a false assumption of legal and security adequacy, increasing risk of unauthorized disclosure and regulatory violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes a healthcare workflow that transmits protected health information between multiple agents and external integrations, but it provides no privacy warning, data-minimization guidance, or safeguards for handling real patient data. In a medical/HIPAA context, omission of explicit data-handling cautions can lead operators to deploy or test with live PHI in ways that violate compliance requirements or expose sensitive records.

Missing User Warnings

High
Confidence
99% confidence
Finding
The example commands include plaintext payloads containing highly sensitive medical details such as symptoms, history, urgency, and appointment information, without warning users not to use real patient data. Because this skill is specifically for healthcare triage, operators may copy these commands into logs, terminals, shells, demos, or shared environments, causing PHI leakage and downstream compliance violations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes healthcare intake, triage, scheduling, and records workflows with concrete examples that transmit patient symptoms and identifiers, but it provides no warnings or constraints about using real PHI, data minimization, secure environments, or regulatory handling. In medical workflows, omission of these warnings materially increases the chance that users test or deploy with sensitive patient data in insecure or noncompliant ways.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal