ClawHub

unisound-primary-diagnosis-surgery-selection

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to process medical records, but it can transmit patient text to a configurable remote LLM endpoint and write prepared medical text to disk without enough explicit user control or disclosure.

Install only in an environment approved for medical data. Confirm exactly which LLM endpoint will receive records, whether patient data is de-identified, what retention rules apply, and where any prepared/debug files are written. Avoid using it with real PHI unless you have explicit authorization and appropriate compliance controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'req' from pathlib.Path.read_text (line 201, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
headers={"Content-Type": "application/json", **{key: value for key, value in headers.items() if value}},
    )
    try:
        opener = urllib.request.urlopen(req) if not timeout else urllib.request.urlopen(req, timeout=timeout)
        with opener as resp:
            body = resp.read().decode("utf-8", errors="replace")
            return json.loads(body)
Confidence
98% confidence
Finding
opener = urllib.request.urlopen(req) if not timeout else urllib.request.urlopen(req, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities to read input files, optionally write prepared/output files, and send patient-derived data over the network to an internal LLM endpoint, yet no permissions are declared. This creates a transparency and governance gap: callers may invoke a skill handling sensitive medical data without explicit acknowledgment of file, write, and network access, increasing the risk of unauthorized data exposure or unsafe deployment in permission-gated environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is designed to send patient record content to an LLM API, but the interface and code provide no explicit user-facing warning, consent gate, or confidentiality control around that network transmission. In a medical context, this increases the risk of unauthorized disclosure of protected health information and regulatory non-compliance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When --save-prepared is used, the script writes preprocessed medical record text to disk for debugging without any sensitivity warning or protective controls. Because this prepared text can contain patient information, it may persist PHI in plaintext in shared workspaces, logs, or backup systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal