ClawHub

unisound-exercise-guidance

Security checks across malware telemetry and agentic risk

Overview

This rehabilitation skill is not clearly malicious, but it needs review because it sends medical-context inputs to a remote model and broadly processes documents and images.

Install only if you are comfortable sending rehabilitation-related inputs and extracted document content to the listed external API, and only after approving the provider's privacy, retention, and compliance terms. Avoid patient identifiers or protected health information unless the deployment has explicit consent, secure appkey handling, and sandboxing for document conversion/OCR tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
72% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
74% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
68% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The manifest describes capabilities implying environment access, file read/write, networking, and shell/tool execution, but it does not declare any permissions or constraints. This creates a transparency and governance gap: a seemingly simple exercise-guidance skill could process local files, invoke external tools, and send data off-host without explicit approval boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is a narrow rehabilitation exercise guidance display skill, but the documented behavior includes broad document ingestion, OCR, document conversion, and remote LLM transmission. This mismatch is dangerous because users or reviewers may trust the skill with sensitive medical content under a much narrower expectation than what it actually does.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill claims it only presents existing exercise guidance, yet the output contract says the internal medical model generates interpretation, analysis, and reminders. In a medical context, this can introduce unreviewed advice beyond simple display, increasing the risk of misleading or clinically inappropriate output.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Support for PDF, Office documents, images, and OCR is broader than needed for a simple guidance-display skill and expands the attack surface substantially. More parsers and file handlers mean greater risk of unsafe content processing, accidental ingestion of unrelated sensitive records, and hidden data exfiltration through downstream model calls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Depending on external tools such as LibreOffice, pdftotext, and Tesseract introduces shell-level and parser-level exposure not justified by the declared exercise-guidance function. In practice, these utilities can broaden the trust boundary and make exploitation or unsafe file handling more likely if untrusted documents are processed.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file implements broad multi-format ingestion and extraction capabilities that do not align with a postoperative exercise-guidance skill, indicating unnecessary capability expansion. Excess parsing surface increases exposure to malicious documents, accidental sensitive-data ingestion, and misuse beyond the stated clinical guidance purpose.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Embedding subprocess-based office, PDF, and OCR conversion in an exercise-guidance skill is unjustified and materially enlarges the attack surface with complex third-party tools. In this skill context, the mismatch makes the behavior more suspicious and more dangerous because users and operators would not reasonably expect document-conversion pipelines in a rehabilitation guidance component.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code sends user-provided rehabilitation details to a third-party remote LLM service, despite the skill being presented as local/self-contained postoperative exercise guidance. In a medical context, exercise name, rehab phase, instructions, frequency, duration, and precautions can reveal sensitive health information, creating privacy, compliance, and data-governance risk if transmitted externally without explicit disclosure and consent.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring claims the skill is 'self-contained', but the implementation depends on a remote API for core functionality. This is a security-relevant misrepresentation because operators may deploy it assuming no external data transfer, leading to uninformed handling of sensitive rehabilitation data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that input content is sent to a remote medical model API, but there is no clear user-facing warning, consent flow, or data-handling notice. Because the skill may ingest medical rehabilitation documents and OCR text, this creates a meaningful privacy and compliance risk around transmission of sensitive health information.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code performs hidden subprocess-driven document conversion and OCR without any visible notice, consent flow, or disclosure, creating transparency and trust issues around how user files are handled. In a healthcare-adjacent skill, undisclosed parsing of uploaded documents can also create privacy and compliance risks if sensitive patient content is processed unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The OCR path silently prefers Chinese plus English models when available, without user choice or documented rationale. This is not a direct exploit primitive, but it can cause inappropriate processing of patient data, inaccurate extraction, and unexpected handling behavior in a medical context where correctness and transparency matter.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Sensitive rehabilitation inputs are transmitted to an external API with no user-facing disclosure, consent flow, or warning in this file. In a postoperative patient-guidance skill, these fields can constitute protected health or health-adjacent data, making silent exfiltration to a third party especially risky.

Ssd 1

Medium
Confidence
96% confidence
Finding
Untrusted input fields are interpolated directly into the LLM prompt, allowing semantic prompt injection through values such as instruction or precautions. In this medical skill, an attacker could embed adversarial text that causes the model to ignore constraints, produce unsafe rehab guidance, leak hidden instructions, or generate clinically inappropriate output for a patient.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal