Security audit

chronic-disease-review

Security checks across malware telemetry and agentic risk

Overview

This medical OCR review skill appears purpose-aligned, but it makes privacy promises that the code does not enforce before sending sensitive records to a remote service.

Install only if you are authorized to send the OCR contents to the configured backend and to store the returned files locally. Redact patient identifiers yourself unless the publisher provides reviewed de-identification code, verify the --base endpoint before use, and treat generated JSON/text outputs as sensitive medical records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill documents capabilities to read input files, write outputs, and send data over the network, yet it declares no permissions. This undermines user and platform trust because a medical-document-processing skill handles sensitive OCR data and can transmit or persist it without an explicit permission boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented behavior materially exceeds the plain-language description by sending OCR medical data to an external service, allowing an arbitrary override of the destination via --base, and writing results to disk. In a healthcare context, this mismatch is dangerous because users may provide highly sensitive records without understanding that they can be exfiltrated to remote endpoints or persisted locally.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The privacy section says data is not written to persistent local storage and is destroyed after the call, but the documented outputs save response JSON and text files to disk. That contradiction is especially serious for medical OCR workflows because stored outputs may contain protected health information and can remain accessible long after processing.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill claims all transmitted data will be de-identified before being sent to models or interfaces, but the documented interface operates on OCR text directly and returns raw JSON, with no verifiable de-identification step described. For medical records, misleading claims about de-identification can cause unauthorized disclosure of personal and health information to third parties.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill description suggests OCR-based chronic disease review, but the implementation hardcodes a remote service base URL and later sends the OCR payload to that external endpoint. Because the payload contains medical OCR text, this creates a material transparency and data-handling risk: operators may believe processing is local when protected health information is actually transmitted off-host.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads OCR medical data from disk and sends it to a remote endpoint for review, which is a direct exfiltration path for sensitive health information. In the context of a medical-review skill, this is especially dangerous because OCR text may contain diagnoses, identifiers, prescriptions, and other regulated data, yet the script provides no minimization, consent, or access-control safeguards around transmission.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script silently posts OCR-derived medical content to a remote API without any user-facing warning in the CLI flow, despite handling sensitive healthcare data. Even when HTTPS is used, undisclosed transmission of protected information can violate user expectations, organizational policy, or regulatory requirements and increases the chance of accidental data leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.