ClawHub
Back to skill

Security audit

med-followup-record-struct

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised medical-record structuring, but it sends sensitive record text to an external service while claiming de-identification safeguards that the code does not implement.

Review before installing. Use this only if you are authorized to send the medical records to the disclosed external service, and remove patient identifiers yourself unless the publisher provides verifiable de-identification, consent, retention, and compliance controls. Avoid processing untrusted PDFs, Office documents, or images outside a sandboxed low-privilege environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-followup-record-") as tmp_dir:
        proc = subprocess.run(
            [
                office_bin,
                "--headless",
Confidence
79% confidence
Finding
proc = subprocess.run( [ office_bin, "--headless", "--convert-to", "txt:Text", "--outdir",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
72% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=Fa

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares privacy safeguards, but the documentation also indicates capabilities for file read/write, shelling out to external tools, network access, and environment use without an explicit permissions declaration. This creates a real trust and governance gap: operators may authorize the skill based on its narrow medical-structuring description while it can access broader local resources and invoke external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a true security/privacy issue because the declared purpose focuses on structuring follow-up medical records, but the documented behavior expands into multi-format ingestion, OCR, external program execution, and transmission of medical text to a third-party network endpoint. In a healthcare context, that mismatch materially increases risk: users may provide sensitive files expecting local transformation while the skill may preprocess broadly and send data off-host.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill presents itself as local record structuring, but the main flow ultimately sends the prepared medical record to struct_followup_record with timeout/diag_id/department parameters indicating backend service use. In this medical context, that is significant because sensitive patient follow-up data may be transmitted off-host contrary to user expectations, creating privacy, compliance, and data-handling risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script's functionality is broader than its stated purpose because it executes multiple external binaries to convert arbitrary document and image formats before structuring the record. In a skill handling potentially untrusted medical uploads, each converter adds attack surface and increases the chance of exploitation via crafted files or denial of service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script hardcodes an external API endpoint and its core functionality sends full follow-up medical record text to that third-party service for processing. Because medical records are highly sensitive, undisclosed off-box transmission materially changes the trust boundary and creates a confidentiality/compliance risk beyond simple local structuring.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The helper performs outbound POST requests containing medical record content to an external endpoint, which is a real data exfiltration path from the local environment. Even if HTTPS is used, this still exposes sensitive patient data to a remote processor and can violate least-privilege, data residency, and privacy expectations if not explicitly justified and controlled.

Missing User Warnings

High
Confidence
99% confidence
Finding
At the call site, the code sends the entire record text to the remote API without any user-facing warning, confirmation, or acknowledgment that sensitive medical content is leaving the system. In a medical-record skill, that lack of transparency is especially dangerous because users may reasonably assume local structuring and not external disclosure of PHI.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal