Back to skill

Security audit

Drug Pronunciation

Security checks across malware telemetry and agentic risk

Overview

This is a small local drug-pronunciation lookup script with no network or credential access; its main caveats are overstated coverage and optional file output.

Reasonable to install for simple local pronunciation lookup. Treat it as a small demo database rather than a comprehensive medical reference, verify pronunciations for real clinical use, and only use --output with a safe workspace path because it can overwrite writable files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill metadata indicates file-writing capability via the `--output` parameter and risk table, but no explicit permissions declaration is present. This creates a policy and transparency gap: consumers or hosting platforms may not accurately understand that the skill can persist data to disk, increasing the chance of unintended file writes or misuse in broader workflows.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill states that it can write an output JSON file, but does not provide a clear user-facing warning about when files are created, where they are written, or the consequences of persisting generated content. While the data here appears low sensitivity, silent file creation can still surprise users, overwrite files, or contribute to unsafe chaining in automated environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.