ClawHub

Chronic Disease

Security checks across malware telemetry and agentic risk

Overview

This skill performs the stated medical review workflow, but its privacy promises do not match the code: sensitive medical text can be sent to a remote model and saved locally by default.

Treat this as a Review item before installing. Use it only if you are authorized to send the medical records to the configured LLM endpoint and to store resulting files locally. Do not rely on the stated de-identification/no-persistence claims unless the publisher updates the code or you add your own redaction, restricted output location, retention controls, and deletion process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The privacy section promises strict de-identification and no local persistence, but later the skill states that raw response JSON and text summaries are saved to local files by default. For medical-review workflows, those outputs may contain protected health information, model reasoning over sensitive records, or identifiers that survived preprocessing, so the contradiction materially increases confidentiality risk.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script writes raw model responses, natural-language summaries, and optionally the normalized OCR payload to disk. In this medical-review context, those artifacts can contain highly sensitive health information and identifiers, so creating files by default increases the risk of unintended PHI disclosure through local filesystem access, backups, logs, or shared workspaces.

Missing User Warnings

High
Confidence
95% confidence
Finding
The code sends full OCR-derived medical record content to a remote LLM endpoint, which is sensitive health data and may also include identifiers. In a medical-insurance review workflow, transmitting this data off-host without explicit user warning, consent flow, or minimization materially increases privacy and compliance risk if the endpoint, logs, or downstream processors are exposed or operate outside expected boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists raw response JSON and a natural-language summary to disk, and those outputs can contain sensitive patient and medical-review details derived from the OCR input. Without a warning, secure storage controls, or redaction, operators may unknowingly create local PHI copies that are easier to leak through backups, shared folders, or improper file permissions.

Ssd 3

High
Confidence
97% confidence
Finding
The implementation embeds verbatim OCR text into the LLM prompt, meaning entire medical documents and possible personal identifiers are transmitted without minimization. In this context, the danger is amplified because healthcare OCR often contains diagnoses, test values, names, IDs, and visit details, so prompt disclosure and subsequent persistence create a broad PHI exposure surface.

Ssd 3

High
Confidence
94% confidence
Finding
The returned result structure intentionally includes raw LLM content, and the main routine later writes that response and a generated summary to disk. Because model output can echo or transform the submitted OCR medical records, this design preserves sensitive patient data in additional artifacts, increasing the chance of disclosure through local access, logging, backups, or operator mishandling.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal