ClawHub

unisound-medication-reminder

Security checks across malware telemetry and agentic risk

Overview

This medication reminder skill is disclosed as a reminder tool, but it handles sensitive medication data through broad document parsing and a mandatory remote medical-model API without enough consent, privacy, or local-only controls.

Install only if you are comfortable with medication-related information and any imported medical documents being processed by local parsers/OCR tools and sent to the listed remote medical-model endpoint. Avoid real patient or regulated health data unless you have consent, privacy, and compliance controls; a local/template-only reminder skill would be safer for sensitive use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
78% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
79% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
72% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises only a medication-reminder function, yet the documentation describes capabilities requiring file read/write, shell execution, network access, and environment use without any declared permission model or user-facing disclosure. In a healthcare context, these hidden capabilities materially increase risk because they can process local medical documents and transmit sensitive medication data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The stated purpose is simple reminder management, but the documented behavior expands into document parsing, OCR, office/PDF conversion, and sending extracted medication data to an external LLM endpoint. That mismatch is security-relevant because users may provide sensitive files under the assumption of local reminder handling, while the skill actually performs broader data extraction and external processing.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation introduces internal medical LLM analysis even though the skill is framed as a reminder-management utility. This broadens processing from deterministic scheduling into model-based interpretation, increasing risks of overcollection, unintended analysis of health data, and user reliance on output outside the stated purpose.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill claims it only manages reminders and does not make medication judgments, but later states that an internal medical model will generate natural-language interpretation/analysis. This inconsistency can mislead users about the nature of processing and creates safety risk if users treat generated medical-sounding analysis as trustworthy guidance.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements a broad document-ingestion and conversion pipeline for PDFs, Office documents, spreadsheets, JSON, text, and images, which materially exceeds a patient medication reminder skill's stated purpose. This mismatch is dangerous because unnecessary capabilities increase attack surface, enable unexpected local file processing, and can conceal data-handling behavior users did not consent to.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes subprocess-based office conversion, PDF extraction, and OCR capabilities that are unrelated to reminder logic and process untrusted content through external binaries. That combination meaningfully increases risk of exploitation through parser bugs, unexpected data exfiltration paths, or abuse of local tooling present on the host.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The custom PATH scanning logic discovers and executes local binaries based on the host environment, which makes runtime behavior depend on whatever executables are available. In a misconfigured or compromised environment this can lead to unexpected binary selection, abuse of untrusted tool locations, and harder-to-audit execution paths.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill sends patient medication details, schedule information, and treatment status to an external chat-completions endpoint even though reminder generation is largely computed locally. In a healthcare context, this is sensitive medical data disclosure to a third party, creating privacy, compliance, and data-governance risk that exceeds what is necessary for the feature.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Requiring an external LLM API credential for a medication reminder skill indicates the feature depends on a remote service not strictly necessary for its core function. This expands the trust boundary, enables sensitive-data exfiltration to the provider, and introduces operational/security dependencies that are not justified by a basic reminder workflow.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires an app key and sends input to an external medical-model API, but the documentation does not warn users that medication and potentially broader health-document content may leave the local environment. This is especially dangerous because the supported inputs include PDFs, office files, and images, which may contain extensive sensitive health information beyond reminder fields.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code silently performs document conversion and OCR using external tools without any visible user-facing notice, consent handling, or disclosure of what data is being processed. For a healthcare-related skill, undisclosed processing of patient-provided files is particularly sensitive because it may involve medical information and external parsing components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code transmits medication names, doses, reminder times, and status to an external API without any user-facing notice, consent flow, or disclosure mechanism. In the patient-medication context, these fields can reveal diagnoses or treatment conditions, making silent third-party transfer especially dangerous from a privacy and regulatory standpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal