ClawHub

unisound-health-education

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed health-education helper, but it can send health-related inputs to a remote medical-model API and can run local document converters on user-selected files.

Install only if you are comfortable providing the API key and sending health topics plus matched article content to the documented remote medical-model service. Prefer JSON or trusted files, avoid private medical records or PHI unless the service is approved for that use, and process Office/PDF/image inputs only in a patched, sandboxed environment when files are untrusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
77% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
77% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
68% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises broad capabilities including file read/write, shell, environment access, and network use, yet declares no permissions or constraints. This creates a transparency and governance gap: operators and users cannot accurately assess what the skill may access, increasing the chance of over-privileged execution and unsafe handling of local files or secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior goes well beyond a simple patient health-education content skill: it accepts many document types, performs OCR/text extraction, writes output files, and sends content to a remote model API. That mismatch can mislead deployers into exposing sensitive medical documents and local files to a skill they believe is only doing local knowledge-base matching, which materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README states that user-provided health content is sent to an internal medical model API, but it does not provide a clear user-facing privacy warning, consent flow, retention statement, or guidance against submitting sensitive personal data. Because the content may include health information from uploaded files and OCR-extracted text, this creates a meaningful privacy and compliance risk around transmission of potentially sensitive medical data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends patient topic/keyword queries and matched article content to an external LLM API, which can expose health-related data to a third party. In a medical context, even seemingly generic queries may reveal sensitive health concerns, and the code provides no consent flow, minimization, redaction, or clear disclosure mechanism before transmission.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal