ClawHub

unisound-medication-record-management

Security checks across malware telemetry and agentic risk

Overview

This skill is for medication records, but it sends sensitive health details to a remote model and asks that model to assess interaction risks despite claiming it will not do that.

Install only if you are comfortable sending medication records and any extracted document text to the listed remote API. Do not rely on its interaction-risk output as medical advice, and avoid processing untrusted PDFs, Office files, or images unless the runtime is sandboxed and you understand the privacy terms for the model provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
83% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
83% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
71% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares itself as a simple medication-record management tool, yet the specification enables broad capabilities including file read/write, shell/tool execution, environment access, and network calls without any explicit permission model or user-facing disclosure. In a healthcare context, these capabilities can process sensitive PHI and invoke external tooling or services, increasing the risk of unintended data exposure or unsafe document handling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
There is a real description-behavior mismatch: the skill is presented as medication record management, but it also accepts arbitrary document/image formats, performs OCR/conversion, and sends extracted contents to a remote model API. This hidden expansion of scope is dangerous because users may provide highly sensitive medical records believing the tool is only doing local record management, while the implementation introduces parsing and exfiltration pathways not obvious from the headline description.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file implements a generic ingestion pipeline for many document and image types, including formats not narrowly required for patient medication record management. This unnecessary capability broadening increases attack surface and creates opportunities to feed hostile files into complex parsers in a healthcare context where data sensitivity is high.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Executing external office converters, OCR engines, and PDF tools on user-provided files is a genuine security concern because it delegates parsing to large native binaries with a history of memory-safety and document-handling bugs. In a patient-medication skill, this is more dangerous because compromise of the processing environment could expose sensitive health data or adjacent systems.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code sends full medication records, including drug names, dosage, frequency, dates, status, and notes, to an external LLM API. This is sensitive health data, and exfiltrating it to a third-party service without clear minimization, consent, or documented safeguards creates a real privacy and compliance risk, especially in a medical context.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The system prompt instructs the external LLM to check for drug interaction risks, expanding the skill from record management into medical risk analysis. In addition to privacy concerns from transmitting health data, this can produce unreliable safety guidance from a general external model without validation, which is risky in a patient-facing medication tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it 'forces' API-based inference through a remote medical model endpoint, but it does not prominently warn users that medication data and any text extracted from uploaded files or images will be transmitted off the local environment. For health-related data, this is especially sensitive because uploaded records may contain personally identifiable and medical information subject to privacy expectations or regulatory controls.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Requiring an app key via command-line parameter without warning about secret handling can lead users to expose credentials through shell history, process listings, logs, scripts, or saved config files. If the token is leaked, an attacker could misuse the API or access protected services under the user's account or project context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Medication records are transmitted to an external API, but this file provides no explicit user-facing warning, consent flow, or disclosure that sensitive medical data leaves the local environment. For a patient medication management skill, lack of transparency materially increases the chance of unauthorized or unexpected sharing of protected health information.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal