ClawHub

unisound-followup-reminder

Security checks across malware telemetry and agentic risk

Overview

This skill appears to provide patient follow-up reminders, but it sends sensitive medical details to a remote model and includes broad document parsing that needs careful review.

Install only if you are comfortable sending patient follow-up details and notes to the listed remote medical-model API. Prefer JSON or minimal structured input over Office/PDF/image files, protect the app key, and confirm the provider's privacy, retention, logging, and healthcare compliance terms before using real patient data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
79% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
79% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
68% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares a simple patient follow-up reminder use case, but the documentation exposes broad capabilities including file read/write, shell/tool invocation, environment access, and outbound network calls without any corresponding permission declaration or user-facing trust boundary. In a medical context, these capabilities materially increase risk because patient data from local files or OCR/parsing flows could be processed and exfiltrated through the remote API or auxiliary tools with little visibility.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a true description-behavior mismatch: the skill is presented as a narrowly scoped reminder tool, but the spec includes broad document ingestion, OCR, remote model calls, persistent output writing, and natural-language medical analysis beyond simple reminder generation. That mismatch is dangerous because users may provide sensitive medical records under the assumption of local, limited processing when the actual behavior expands data collection, processing, and disclosure scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements a broad multi-format ingestion utility that is materially unrelated to a patient follow-up reminder skill. This scope mismatch is dangerous because it introduces powerful file-processing and external-tool execution capabilities that expand attack surface far beyond the declared medical reminder functionality, making hidden or unnecessary behavior harder to review and justify.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Executing office conversion binaries in a reminder-management skill is an unjustified high-risk capability because it processes arbitrary user files via large external parsers. In this skill context, the behavior is more dangerous because it is unexpected and broadens the attack surface without a clear business need, raising both security and trust concerns.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Support for OCR and arbitrary multi-format parsing is outside the apparent reminder-use case and therefore represents unnecessary capability creep. Even if implemented without obvious injection flaws, each added parser and file type meaningfully increases the risk of exploitation, data exposure, and denial of service.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill transmits patient follow-up details, including disease type, visit dates, and notes, to an external LLM service over the network. In a healthcare context this is highly sensitive data handling, and the code shows no minimization, consent flow, de-identification, regional compliance check, or restriction proving the transfer is necessary for a simple reminder workflow.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The fallback block is documented as only retrying preprocessing, but it changes runtime behavior and calls build(data, args.appkey) with the wrong arguments. This can cause crashes or unintended execution paths during error handling, making the skill unreliable and potentially bypassing expected validation/date handling in failure scenarios.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation states that an appkey is required and names a remote model endpoint, but it does not clearly warn users that supplied patient follow-up data and potentially OCR-extracted medical content will be transmitted to that API for processing. For healthcare-related data, lack of explicit disclosure and consent is a significant privacy and compliance risk because users may unknowingly send sensitive personal health information off-box.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
At the point where the prompt is assembled and later sent to the external API, the code includes sensitive patient context without any user-facing notice or consent mechanism. In a medical follow-up skill, undisclosed third-party transmission of disease and appointment data creates significant privacy, compliance, and trust risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal