ClawHub

倪师

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it should be reviewed carefully because it can produce clinician-like traditional medicine advice, formulas, and dosing suggestions for serious health conditions.

Install only if you want educational or historical TCM reference behavior and are comfortable with health-risk content. Do not use it for self-diagnosis, prescriptions, dosage selection, emergencies, pregnancy, children, psychiatric crisis, cancer, chest pain, bleeding, stroke symptoms, diabetes management, eye emergencies, or toxic herbs; those require qualified medical care.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The reference file substantially expands astrology, divination, and feng shui content even though the skill metadata says these are only auxiliary topics that should be mentioned sparingly. In a medical-adjacent skill, this creates instruction drift: the agent may over-index on non-medical guidance, provide misleading health-related recommendations tied to superstition, or bypass the intended scope limits.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick-reference instructs readers to select formulas based on symptoms and even provides dosage ranges, but the nearby usage section does not prominently warn that this is not for diagnosis or self-medication. In the context of a skill designed to emulate a clinician-style consultation, this increases the chance that users will treat the table as actionable medical guidance, including use of toxic or high-risk herbs such as附子、麻黄、细辛, leading to misdiagnosis, delayed care, or direct harm from unsupervised use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This reference file presents a large catalog of disease-specific formulas, including serious conditions such as cancer, stroke sequelae, heart pain, diabetes, and gastrointestinal bleeding, in a way that can be operationalized as treatment guidance. Although the skill metadata contains a general disclaimer, this file itself lacks embedded safety framing, triage boundaries, and escalation guidance, making it easier for the agent to surface high-risk medical advice without adequate warning or referral to licensed care.

Missing User Warnings

High
Confidence
98% confidence
Finding
This file provides detailed diagnostic heuristics, syndrome differentiation, and specific treatment recommendations including named formulas, escalation logic, and dosing-adjustment ideas, but the file itself does not include an informational-use warning or clear instruction to defer to licensed medical care. In a skill explicitly designed to simulate a clinician-style consultation, that omission materially increases the chance users receive actionable medical advice and delay appropriate diagnosis or treatment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal