ClawHub
Back to skill

Security audit

med-chronic-disease-review

Security checks across malware telemetry and agentic risk

Overview

This medical-document review skill is purpose-related, but it can upload sensitive OCR medical text to a remote or user-chosen endpoint while making privacy claims the code does not enforce.

Review carefully before installing. Use only records that are already de-identified, verify the backend operator and privacy terms, do not override `--base` unless you fully trust the endpoint, prefer JSON input over raw PDFs or Office files from untrusted sources, set a finite timeout, and delete generated output or prepared OCR files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-chronic-review-") as tmp_dir:
        proc = subprocess.run(
            [
                office_bin,
                "--headless",
Confidence
89% confidence
Finding
proc = subprocess.run( [ office_bin, "--headless", "--convert-to", "txt:Text", "--outdir",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
83% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=Fa

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises and documents capabilities including network access, local file read/write, environment access, and shell-based tooling, but no explicit permissions are declared. This creates a trust and containment gap: users may invoke a medical-document skill without realizing it can access local resources and transmit data externally, increasing the risk of unintended data exposure or unsafe execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior materially exceeds the stated purpose: beyond consuming OCR JSON, it accepts many document formats, invokes external binaries for conversion/OCR, can infer disease type from input, and sends content to a remote review API. This broader attack surface increases the chance of dangerous file parsing, command/tool misuse, and privacy leakage, especially because users may provide sensitive medical files under the assumption of a narrow local review workflow.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims strict de-identification before sending data to any model or API, yet the same document describes transmitting OCR-derived medical content to an external review service without documenting any concrete redaction mechanism. In a healthcare context, such unsupported privacy claims are dangerous because users may submit protected health information believing it will be anonymized when that may not actually occur.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill sends OCR-derived medical content to a remote service, but the stated skill behavior emphasizes taking OCR JSON as input and producing review output, without clearly disclosing that sensitive medical data leaves the local environment. Because OCR data for chronic disease review may contain protected health information, undisclosed network transmission materially increases privacy and compliance risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The --base argument allows the caller to redirect uploads to any arbitrary URL, and the request body includes full OCR medical data. In environments where this skill is invoked by higher-level agents or workflows, an attacker who can influence arguments can exfiltrate sensitive patient data to an attacker-controlled host while preserving expected program behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation materially exceeds the stated skill purpose by accepting many document types, performing extraction/OCR, and then sending data onward for review. Scope expansion is security-relevant because it increases the attack surface, user surprise, and the chance that sensitive medical content is processed in ways the user did not intend.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing LibreOffice, pdftotext, and Tesseract on user-provided files is a significant capability escalation not justified by the described task. In a security-sensitive agent environment, invoking multiple external native binaries on untrusted medical documents creates substantial risk of parser exploitation, local file exposure through converters, and denial of service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits OCR medical data to a remote endpoint without any explicit user-facing warning at the point of transmission. Given the sensitivity of outpatient chronic disease records, silent upload increases the chance of accidental privacy violations and noncompliant handling of regulated health information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends OCR-derived medical record content to an external review service via call_review_by_ocr without any explicit notice, consent, redaction, or policy enforcement in this file. Because the data is health-related and likely sensitive, undisclosed transmission creates a meaningful privacy and compliance risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal