ClawHub

Menstrual Health Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is a menstrual health tracker that handles sensitive health data locally with disclosed consent and user-control flows, but users should treat its stored files and dashboard exports as private medical information.

Install only if you are comfortable storing menstrual and reproductive health information in a local JSON file and possibly in generated HTML dashboards. Do not place those files in shared folders or send them to others, and remember the health guidance is informational rather than a substitute for professional care.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document states that `user_profile.life_stage` is the only authoritative source for life-stage identification, but later logic proposes prompting stage transitions based on behavioral/history signals such as missing periods, added due date, childbirth mention, or age-related cycle changes. This inconsistency can lead implementations to override or pressure changes to a sensitive reproductive-status field from inferred data, creating privacy and safety risks through incorrect classification and inappropriate health guidance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README states the skill will "automatically trigger" whenever menstruation-related topics are mentioned, which is an overly broad activation condition for a health-related skill. In practice, this can cause unintended invocation during casual conversation, capture or process sensitive reproductive-health context without clear user intent, and increase privacy and consent risks.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The description says bilingual mode uses automatic Chinese/English detection and switching, which removes an explicit user choice over language handling. While not inherently malicious, forced language detection can mis-handle user input, create confusion, and in a health context may increase the chance of misunderstanding sensitive guidance or displaying content in an unexpected language.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger description is unusually broad for a skill that collects and stores highly sensitive reproductive health data. Terms like period, ovulation, pregnant, postpartum, and menopause can appear in many general wellness or informational conversations, so overbroad activation could cause the skill to engage unexpectedly and begin consent/data-collection flows in contexts the user did not intend, increasing privacy and scope-confusion risk.

Vague Triggers

Low
Confidence
92% confidence
Finding
Accepting vague affirmatives such as '好的' or 'yes' as privacy consent is weak for a workflow involving sensitive health data and local persistence. A user may be agreeing to continue the conversation generally, not specifically consenting to collection and storage of menstrual/reproductive health information, which undermines informed consent and can lead to unauthorized retention of sensitive data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The dashboard presents cycle predictions, fertility windows, and health recommendations in a way that can be interpreted as medical guidance, but it does not provide a clear user-facing disclaimer that the content is informational only and not a substitute for professional care. In a menstrual health context, users may rely on these outputs for fertility planning or delay seeking care for abnormal symptoms, which creates safety risk even without classic code-execution impact.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document recommends a concrete JSON storage format for highly sensitive reproductive and health data, including conditions, medications, symptoms, mood, and notes, but provides no guidance on privacy controls, retention limits, access restrictions, encryption, or consent. In a health-related skill, this omission can lead implementers to persist intimate data insecurely by default, increasing the risk of privacy breaches, over-collection, and noncompliant handling of sensitive information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file directs the skill to collect highly sensitive reproductive and health data and explicitly makes that profile the highest-priority context, but it provides no privacy notice, retention limits, access controls, or explanation of how the data will be handled. In a health-related context, omission of consent and handling safeguards increases the risk of overcollection, misuse, and non-compliant processing of sensitive personal data.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs automatic extraction of sensitive health information from natural conversation, such as inferring pregnancy status, without requiring explicit user consent or even a contemporaneous notice. This is especially dangerous because reproductive status is highly sensitive data, and covert inference from free text can surprise users, create inaccurate records, and expand collection beyond what they knowingly shared for storage.

Missing User Warnings

High
Confidence
98% confidence
Finding
This skill specification instructs collection of highly sensitive health, reproductive, medication, and body metrics data, including pregnancy status, menstrual history, medical conditions, and postpartum details, but shows no visible notice about storage, retention, sharing, consent, or minimization. In this context, the danger is elevated because the data categories are intimate and potentially stigmatizing, so opaque handling could lead to privacy harm, regulatory exposure, and user manipulation or overcollection beyond what is necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The dashboard generator embeds the full menstrual-health dataset, analysis results, and recommendations directly into a standalone HTML file on disk. Because this data is highly sensitive health information, exporting it without an explicit warning, consent flow, file-permission controls, or minimization increases the risk of accidental disclosure through shared folders, backups, email, or local compromise.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal