Back to skill

Security audit

Prior Authorization Letter Drafter

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate prior-authorization letter tool, but it needs review because it handles patient health data with weak privacy, path, and scope controls.

Install only if you can control healthcare data locally. Use minimum necessary patient information, store generated letters and JSON inputs only in secure approved locations, avoid blind `pip install -r requirements.txt`, and require clinician or authorized staff review before submitting any generated letter to an insurer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The usage guidance expands the skill beyond prior-authorization drafting into generic academic-writing tasks, which broadens when the skill may be invoked and increases the chance of misuse or inappropriate handling of unrelated content. Overbroad trigger language can cause the agent to apply this medical/insurance workflow in contexts it was not designed or reviewed for, weakening safety boundaries.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill processes highly sensitive patient and provider information, including identifiers, diagnosis codes, and clinical justification, but it does not provide meaningful privacy, retention, minimum-necessary-use, or handling safeguards. In a medical context, this omission increases the risk of PHI exposure through prompts, generated files, logs, or insecure storage, making the issue more dangerous than in a non-sensitive writing skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation text is broad enough to route generic academic-writing requests into a skill intended for medical prior-authorization letters, creating a scope-confusion problem. In a healthcare-adjacent workflow, that mismatch can cause the agent to generate inappropriate insurance/clinical content or apply the wrong safeguards, especially since the audit already records a stress-case scope-boundary failure.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The file describes the skill as both an 'Academic Writing' package and a prior-authorization insurance letter tool, which creates conflicting scope signals for agent routing and reviewers. While not directly exploitable as code execution, this ambiguity weakens policy enforcement and increases the chance the skill is invoked in the wrong context or evaluated under the wrong safety expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes generated prior-authorization letters directly to disk, and those letters contain PHI/PII such as patient name, DOB, member ID, diagnosis codes, and clinical justification. In a healthcare context, silently persisting this data increases the risk of unauthorized local disclosure, backup/sync leakage, shared-system exposure, or accidental mishandling when users are not explicitly warned or guided toward secure storage.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The sample-input workflow creates a JSON file shaped exactly like real healthcare intake data, including patient, provider, insurer, and clinical-justification fields, but provides no warning not to place real PHI in that file or to protect it appropriately. In this skill's medical-administrative context, users are especially likely to substitute actual patient data into the sample/template and leave sensitive records in plaintext on disk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.