Bmi Bsa Calculator

Security checks across malware telemetry and agentic risk

Overview

This is a basic local BMI/BSA calculator, but its documentation overstates clinical dosing and pediatric features in ways that could mislead medical use.

Review before installing if you might use it for clinical work. Treat it only as a simple BMI and DuBois BSA calculator, independently verify any medication or chemotherapy calculations, do not rely on the advertised pediatric or drug-specific workflows, and choose output paths carefully.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documentation materially overclaims clinical capabilities while also permitting output to an arbitrary user-specified file path. In a medical dosing context, unsupported formulas, missing pediatric logic, and undisclosed file-write behavior can cause unsafe dosing decisions or overwrite files if an agent passes untrusted output paths.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: Internal contradictions about whether multiple BSA formulas, pediatric support, and unit flexibility already exist undermine operator trust and can lead users or downstream agents to rely on features that are not implemented. In a clinical calculator, this increases the chance of incorrect calculations being used for patient care, especially pediatric dosing.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script allows writing output to any user-supplied filesystem path without restriction. In an agent or automated execution context, this unnecessary file-write primitive can be abused to overwrite files accessible to the process, potentially causing data loss, corruption, or planting content in sensitive locations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal