ClawHub
Back to skill

Security audit

med-initial-record-genenration

Security checks across malware telemetry and agentic risk

Overview

This medical-record skill is purpose-aligned, but it can send sensitive dialogue to an external service while promising de-identification that the code does not enforce.

Review before installing. Use this only if you are allowed to send medical dialogue to the documented external service, and remove patient identifiers yourself before running it. Prefer trusted TXT/JSON inputs, avoid --save-prepared for sensitive data, set a finite timeout, and process PDFs, Office files, or images only in a controlled environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-initial-record-") as tmp_dir:
        proc = subprocess.run(
            [
                office_bin,
                "--headless",
Confidence
74% confidence
Finding
proc = subprocess.run( [ office_bin, "--headless", "--convert-to", "txt:Text", "--outdir",

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
Confidence
72% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=Fa

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document claims strict de-identification before sending data to any model or interface, but also states that a third-party record-generation service may receive the content, without describing any concrete redaction pipeline, validation, or guarantees. For medical dialogue, this creates a serious privacy and compliance risk: users may rely on a claimed safeguard that is not substantiated, leading to transmission of protected health information to an external service.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill sends full doctor-patient dialogue content to an external company API, which means highly sensitive medical and potentially personally identifiable information leaves the local environment. In a healthcare context, undisclosed external transmission materially increases privacy, compliance, and data-governance risk, especially if users expect local processing based on the skill description.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The skill's stated purpose is text-to-record generation, yet it invokes external OCR and document-conversion binaries on user-supplied content. That unnecessary capability expansion materially increases exposure to vulnerable native parsers and host-level denial of service, making the skill more dangerous in context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code reads medical dialogue from disk and sends it to a remote API without any user-facing warning, consent check, or indication that sensitive health data will be disclosed externally. Because this skill processes medical conversations, the absence of transparency and consent makes the privacy risk more severe than in ordinary text-processing tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When --save-prepared is used, the script writes normalized doctor-patient dialogue to disk, which likely contains sensitive medical data. Persisting PHI without strong disclosure, retention controls, or secure storage expectations creates confidentiality and compliance risk if the filesystem is accessible, backed up, or shared.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script always writes normalized dialogue to a temporary file before calling generate_initial_record, causing sensitive medical text to be persisted on disk even when the user did not explicitly request saving it. Temporary files can be exposed through local access, backups, crash forensics, or weak tmp directory controls, so this is a real privacy weakness in a medical context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal