Baa Review

Security checks across malware telemetry and agentic risk

Overview

This is a focused BAA review skill that reads user-provided agreements for compliance analysis, with no code execution, persistence, or hidden data movement found.

Before installing or using this skill, treat any BAA as sensitive. Redact unnecessary patient identifiers, confidential pricing, account details, and other information not needed for review, and only use it in an environment approved for regulated or confidential documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill explicitly invites users to paste or attach Business Associate Agreements, which commonly contain PHI, contractual details, and other sensitive regulated information, but it provides no warning about minimizing sensitive data, redacting unnecessary identifiers, or handling privacy implications. That omission can cause users to disclose regulated health or confidential business information into the system without informed consent or appropriate safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal