ClawHub
Back to skill

Security audit

med-critical-disease-review

Security checks across malware telemetry and agentic risk

Overview

This medical-record review skill has a real use case, but its privacy promises do not match what the code actually does.

Install or use this only if you are authorized to process the medical records involved and are comfortable sending their contents to the stated remote service. Do not rely on the documented automatic de-identification or no-retention claims unless the publisher adds enforceable redaction and disables or clearly controls local output storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-critical-review-") as tmp_dir:
        proc = subprocess.run(
            [
                office_bin,
                "--headless",
Confidence
76% confidence
Finding
proc = subprocess.run( [ office_bin, "--headless", "--convert-to", "txt:Text", "--outdir",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
72% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=Fa

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The privacy section claims no local persistent storage, but later the skill states that raw API responses and text summaries are saved to disk by default. In a medical-claims context, those outputs may contain highly sensitive health information, so the contradictory behavior can directly cause unauthorized retention of regulated data.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill asserts that data is strictly de-identified before being sent to any model or interface, but the documented request flow shows direct submission of medicalRecord data to assessment endpoints without any visible de-identification step. In this healthcare setting, that can result in disclosure of personally identifiable and protected health information to internal or third-party services contrary to user expectations and policy.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code transmits structured medical-record data to a remote HTTPS endpoint without any explicit consent prompt, privacy notice, data minimization step, or indication of regulatory handling. Because the payload contains health information, silent network transmission can create serious confidentiality, compliance, and data-governance risks if users assume processing is local or if the endpoint is not properly authorized for this data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script preprocesses hospital records and then transmits the resulting medicalRecord payload to a remote assessment API without any consent prompt, privacy warning, minimization step, or disclosure in this file. Because the data includes highly sensitive medical information, silent transmission creates a real confidentiality and compliance risk if users are unaware or if the remote service is broader than expected.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal