Shift Handover Summarizer

Security checks across malware telemetry and agentic risk

Overview

This skill transparently processes user-supplied EHR JSON files into handover summaries, with no evidence of hidden network access, credential use, or automatic execution.

Install only if you are authorized to process the patient records involved. Run it in a restricted working directory, choose output paths deliberately, avoid shared folders for summaries containing PHI, and verify clinical outputs manually before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill documentation indicates the workflow reads an input records file and may write an output summary file, but the manifest does not declare corresponding permissions. Undeclared file access is a security and governance issue because hosts, reviewers, or users may assume the skill has fewer capabilities than it actually uses, reducing transparency and weakening policy enforcement around sensitive EHR data handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal