ClawHub

tcm-wellness

Security checks across malware telemetry and agentic risk

Overview

This TCM wellness skill is coherent and not malware, but it automatically builds and reuses persistent health profiles without clear opt-in, deletion, or privacy controls.

Install only if you are comfortable with the skill keeping local long-term health records and using them across future consultations. Before using it, confirm where the memory directory is stored, how to disable saving, and how to review or delete stored profiles, consultation blocks, reflection reports, and evolution logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The document specifies a persistent memory architecture that stores user-level health dossiers, memory blocks, reflections, and evolution logs across sessions. For a wellness advice skill, this materially expands collection and retention of sensitive health data beyond what is necessary for a single consultation, increasing privacy, misuse, and breach risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The path design explicitly states user-level memory is shared across projects, meaning health history can follow the user outside the original consultation context. Cross-project sharing of sensitive health information creates unnecessary exposure, violates context boundaries, and raises the risk of unauthorized reuse by unrelated skills or workflows.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Although the text claims anonymization, it allows direct use of user nicknames such as '张先生' or '小李' as identifiers. Nicknames are often identifying or linkable, so this undermines the privacy model and makes re-identification of stored health records easier.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The self-evolution and knowledge-correction mechanisms allow the skill to automatically adjust recommendations and maintain learned behavior over time based on user records. In a health-adjacent setting, such autonomous adaptation without strong validation, oversight, or user consent can propagate errors and broaden the system's behavior beyond its stated advisory role.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document presents the identifier scheme as privacy-preserving while permitting direct nickname use, which is inconsistent and misleading. This can cause operators to overestimate privacy protections and store sensitive health data under quasi-identifying labels.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script creates a persistent long-term memory system for per-user health profiles, constitutions, symptom history, and treatment tracking. In a TCM wellness skill, storing longitudinal medical-style records materially increases privacy and security risk because it enables retention of sensitive health data beyond the immediate response need, and there is no visible consent, minimization, access control, or deletion logic in this file.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The user profile templates explicitly include highly sensitive health information such as allergies, medications, known diseases, and prescription effectiveness tracking. Persisting this category of data without any safeguards shown here makes unauthorized disclosure or misuse more damaging, especially because health data is uniquely sensitive and can reveal intimate medical conditions over time.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script goes beyond an on-demand wellness advisor by aggregating historical user memory blocks, analyzing trends, and generating retrospective reports tied to a user ID. This expands the skill into persistent health-data profiling, which is sensitive in context and can violate least-privilege and user-expectation boundaries if not explicitly disclosed and authorized.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The archive routine mutates long-term user memory files by inserting an archived flag based on timestamps and priority, even though the skill is described as a wellness advisor rather than a memory-management tool. In a health context, unauthorized modification of stored records can affect downstream analysis, retention guarantees, auditability, and user trust, especially if these files are later used for care guidance or compliance-sensitive review.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger terms are broad common health words, making accidental activation likely during ordinary conversation. Because this skill is designed to read/write persistent health memory, over-triggering can cause unnecessary collection or reuse of sensitive information when the user did not intend to enter a tracked consultation flow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The return-visit and summary triggers are ambiguous and can activate on vague phrases like 'last time' or 'summarize,' which may appear in unrelated contexts. In this skill, that ambiguity is more dangerous because it may prompt retrieval of prior health records or generation of sensitive summaries without a clear request for historical data access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly persists health information, constitution, medical history, and treatment feedback, but provides no clear privacy notice, retention disclosure, or consent workflow. Health-related data is especially sensitive, so storing it silently creates confidentiality, compliance, and trust risks even if no overt exfiltration is described.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow instructs automatic reads and writes of local health profile and memory files, yet does not require any user prompt before those file operations occur. Silent file access is risky because it expands the skill from conversational advice into background data processing of sensitive records without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document gives self-care acupressure guidance for symptoms such as headache, insomnia, abdominal pain, cough, hypertension-related complaints, and gynecologic issues before prominently warning that these measures are only adjunctive and not a substitute for medical care. In a health-advice skill, delayed or weak safety framing can cause users to rely on the content for symptoms that may require timely diagnosis, especially for pregnant users or people with serious underlying conditions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill describes automatic writing and long-term retention of health profiles, histories, and sensitive attributes such as allergy history, medication use, and known diseases without any documented user-facing notice or consent flow. In a health context, silent persistence of this category of data is a serious privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The auto-triggered reflection process reads and summarizes historical health records without a clear user reminder or consent checkpoint at trigger time. This increases the chance that sensitive data will be reprocessed or surfaced unexpectedly, which is especially risky in a wellness/health setting.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document provides extensive health and dietary guidance, including condition-linked recommendations and recipe-style interventions, without a disclaimer that the content is general wellness information rather than medical advice. In a health-oriented skill, users may reasonably rely on this material for self-management of symptoms, which can delay appropriate diagnosis or conflict with individual conditions, medications, allergies, or pregnancy status.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This reference file provides detailed symptom-to-syndrome mappings, tongue and pulse interpretation, and named formulas, but it lacks any visible warning that the material is informational only and not a substitute for licensed medical evaluation. In the context of a wellness skill that may guide users with active symptoms, this can encourage self-diagnosis, delayed care, or unsafe reliance on traditional pattern matching for potentially serious conditions.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instructions direct the skill to persist and later summarize users' health history across sessions, creating a longitudinal dossier of sensitive medical-like disclosures. In a wellness context this is particularly dangerous because repeated symptom descriptions, constitution labels, and treatment responses can reveal intimate health patterns beyond what users expect from a chat interaction.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill is instructed to identify returning users and read long-term profile/index files so prior health records can influence new responses. This creates a privacy and authorization risk because identity linkage and historical record retrieval may occur implicitly, potentially exposing one person's health information in another session or without fresh consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow mandates writing every consultation into persistent memory blocks and updating long-term health archives. Automatic comprehensive logging of health conversations increases the blast radius of any local compromise, misidentification, or accidental disclosure because each interaction becomes part of an accumulating sensitive record.

Ssd 3

Medium
Confidence
92% confidence
Finding
The reflection flow aggregates stored memory blocks, analyzes trends, and updates reports, effectively performing secondary processing on sensitive health data. This is risky because it expands use of the original disclosures beyond the immediate consultation and may infer new sensitive attributes without separate notice or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal