Back to skill

Security audit

Medication Reminder

Security checks across malware telemetry and agentic risk

Overview

This medication tracker is not malicious, but it needs review because its reminder features are incomplete and it stores sensitive medication data in plaintext local files.

Review before installing. Treat this as an incomplete local log, not a dependable medication reminder, and do not rely on it for dose timing. Only enter medication details if you are comfortable storing health information in plaintext files in your home directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to track medication dosing schedules, but the implemented schedule and due commands are only placeholders and do not calculate reminders or due medications. In a medication-management context, this mismatch can create unsafe reliance: users may assume reminders and schedule checks are functioning when they are not, leading to missed doses, double-dosing, or other medication errors.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill explicitly stores medication names, dosing schedules, and intake history in a local directory, but the user-facing description does not warn about this persistence or its privacy implications. Because this data can reveal sensitive health information, lack of disclosure can lead users to expose medical data on shared or insufficiently secured systems without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script stores sensitive medication names, doses, frequencies, and intake history in plaintext files under the user's home directory without any notice, consent flow, or privacy guidance. Medication data is health-related and can reveal medical conditions, so silent local persistence increases confidentiality risk, especially on shared systems, backups, or devices with weak filesystem protections.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.