ClawHub

中医舌诊(Tongue Diagnosis)

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it should be reviewed because it provides medical-style tongue diagnosis from user photos with broad triggers and disease-specific claims.

Install only if you understand this is an informational Chinese-language TCM reference skill, not a medical diagnostic tool. Do not rely on its photo analysis to diagnose disease, rule out illness, choose medication, or delay care; consult a licensed clinician for symptoms, persistent concerns, or urgent signs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger design is broad enough to activate on general health-related phrases such as '健康评估' and common tongue-related terms, which can cause the medical-analysis skill to run when the user did not clearly request a diagnostic workflow. In a health context, unintended invocation is more dangerous because it may produce medical-sounding assessments or advice without explicit user intent, increasing the risk of overreach and inappropriate reliance.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill is authored entirely in Chinese and assumes Chinese-language operation without stating a locale restriction or checking the user's preferred language. In a medical-adjacent diagnostic skill, language mismatch can materially degrade user understanding of limitations, ratings, and disclaimers, leading to misinterpretation of health guidance or failure to seek care appropriately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This file provides extensive medical diagnostic guidance and disease associations for sublingual vein appearance, including links to coronary disease, cirrhosis, tumors, and diabetes, without any warning that the material is educational, not validated for self-diagnosis, and not a substitute for licensed medical care. In the context of a skill explicitly intended to let users upload tongue images for medical diagnosis, this omission materially increases the risk that users will rely on the output for diagnosis, delay appropriate care, or be falsely reassured or alarmed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file presents detailed medical diagnostic interpretations of tongue appearance and links them to disease states without any user-facing disclaimer, uncertainty guidance, or instruction to seek qualified medical evaluation. In the context of a skill explicitly intended for daily photo upload and medical diagnosis, users may rely on this content for self-diagnosis, delay appropriate care, or miss urgent conditions such as stroke-related signs mentioned in the text.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This file provides medical diagnostic interpretations of tongue features and links them to disease states, including severe or critical conditions, without any warning that the content is limited, non-validated, and not a substitute for professional medical evaluation. In the context of a skill explicitly intended for users to upload tongue photos daily for diagnosis, the omission can cause users to self-diagnose, delay appropriate care, or act on incorrect conclusions from a highly unreliable method.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal