ClawHub

unisound-function-self-assessment

Security checks across malware telemetry and agentic risk

Overview

This medical assessment skill appears useful, but it processes broad user documents and sends sensitive assessment data to an external model without clear disclosure or consent controls.

Review this carefully before installing in any patient, clinical, or regulated setting. Use it only if users are explicitly told what files and assessment fields are processed, what is sent to the external model provider, and how consent, retention, and deletion are handled; prefer a sandboxed/local processing path for sensitive health data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises capabilities that imply file access, shell/tool execution, network egress, and use of an API key, but it does not declare permissions or constraints for them. In a medical-context skill that accepts many document types and invokes external converters/OCR tools plus a remote model endpoint, this lack of explicit permissioning and trust boundaries increases the risk of unintended data exfiltration, unsafe file handling, and execution of risky parsing pipelines on sensitive patient data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements a broad, generic document-ingestion pipeline for PDF, Office, spreadsheet, JSON, text, and image OCR despite the skill being described as a patient self-assessment questionnaire capability. This scope expansion materially increases attack surface and data-handling reach without clear justification, making misuse, overcollection, and unsafe parsing of untrusted documents more likely in a medical-context skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill invokes external office, PDF, and OCR binaries (LibreOffice/soffice, pdftotext, tesseract) to process user-supplied files, which is a large and unnecessary execution surface for a self-assessment survey skill. In context, this is more dangerous because medical/patient-facing systems may handle sensitive files, and complex third-party parsers have a long history of denial-of-service and memory-corruption issues when given crafted documents.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill sends full assessment contents, including question text, answers, assessment ID, and timestamp, to an external LLM API for interpretation. In a medical self-assessment context this is sensitive health-related data, and transmitting it off-box without minimization, consent flow, or documented privacy controls creates a real confidentiality and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code requires an external API key and makes outbound requests to a remote model service even though the skill is described as a patient self-assessment/questionnaire capability. This expands the trust boundary, introduces potential data exfiltration and dependency risks, and is especially concerning because the transmitted content is patient assessment data.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The OCR path automatically prefers Chinese Simplified plus English when both are installed, without user choice or documented consent. In a patient-facing assessment tool, forced language behavior can cause inaccurate extraction, mishandling of multilingual health information, and privacy/compliance issues if users are not informed how their documents will be processed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The outbound API call occurs with no visible user-facing notice, consent, or warning that assessment contents will be transmitted to a remote service. For a patient-facing postoperative recovery assessment, this lack of disclosure materially increases privacy risk because users may reasonably expect their responses to remain local.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal