MedCrypt: End-to-End Encryption for Medical Messaging

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local encryption demo, but it overstates safety and regulatory compliance for sending patient medical data through consumer messaging apps.

Review this carefully before using it with real patient data. Treat it as a local encryption prototype, not proof of HIPAA, GDPR, or LFPDPPP compliance. Do not use Telegram, WhatsApp, or similar platforms for protected health information unless legal, security, and organizational reviewers approve the full workflow, including metadata exposure, backups, endpoint security, recipient identity, retention, auditing, and consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly promotes sending sensitive medical data through Telegram/WhatsApp and claims regulatory compliance, but it provides no warning that end-to-end payload encryption does not hide metadata such as contacts, timestamps, platform access, backups, and routing information. In a medical context, that omission can mislead users into overestimating privacy protections and could result in unauthorized disclosure of protected health information or noncompliant handling of patient data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal