Generic Drug

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform a disclosed, user-directed drug lookup through a local SearXNG service, with a privacy note warranted for health-related queries.

Before installing, make sure you trust the local SearXNG service at localhost:8080, especially because drug names can reveal sensitive health interests. Avoid entering identifying medical details unless you understand how that local service logs and retains searches.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The skill explicitly states it sends the provided drug name to a local SearXNG service, but it does not clearly warn users that their input will be transmitted to another service for lookup. Even though the endpoint is localhost, drug names can reveal sensitive health information, so the missing disclosure creates a privacy and consent issue rather than a code-execution risk.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The script transmits user-supplied drug queries to a search service without explicit disclosure or consent, which can expose sensitive medical interests or health-related terms to another service and its logs. In a healthcare-adjacent context, even seemingly simple drug names may reveal private conditions, making undisclosed outbound transmission a real privacy risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal