soyoung-clinic-tools

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent for Soyoung clinic workflows, but it handles credentials and real appointment actions while using broad routing rules and a cross-workspace API key fallback that deserve review before installation.

Install only if you intend this agent to manage Soyoung clinic data. Review the broad triggers and bootstrap hook because unrelated appointment, doctor, or cosmetic-health questions may be routed here. Treat the API key as sensitive, use it only in direct owner chat, and be aware that the implementation can fall back to a default workspace API key when another workspace lacks one.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The appointment script exposes a saved-location retrieval path via --get-location, even though that capability is outside the stated skill scope. Saved location is sensitive personal data, and although the code checks for DM and owner access, placing unrelated PII access inside a broader appointment tool increases accidental exposure risk, expands attack surface, and violates least-privilege expectations for callers and reviewers.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The project-query examples include broad phrases like treatment, symptom, pain, and pricing questions without consistently anchoring them to the Soyoung brand or clinic context. In an agentic routing system, this can cause the skill to capture general medical-aesthetic or even health-related user queries and respond with clinic-specific content, creating misrouting risk and potentially unsafe or misleading advice outside the intended scope.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API spec exposes state-changing appointment endpoints for creating, modifying, and canceling bookings without any explicit safety guidance, user-confirmation requirements, or warnings that these operations alter real user appointment data. In an agent/tooling context, this increases the risk that an LLM-driven agent could invoke destructive or unintended actions from ambiguous prompts, causing unauthorized changes to medical appointment records.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The trigger list includes very broad phrases such as “新氧 API Key”, which can match ordinary conversation and cause the setup skill to activate unexpectedly. In a credential-management skill, accidental invocation is more dangerous than usual because it may prompt users to disclose secrets, reveal configuration status, or initiate sensitive flows in the wrong context.

Vague Triggers

High

Confidence: 95% confidence
Finding: These triggers include highly generic phrases such as store/phone/contact queries that can match ordinary conversations unrelated to Soyoung. Because this skill can perform sensitive appointment lifecycle actions and has approval-flow branching, accidental invocation could route users into the wrong skill context, expose clinic-specific data paths, or initiate high-risk booking workflows unintentionally.

Vague Triggers

High

Confidence: 98% confidence
Finding: The fallback triggers contain broad phrases like cancel appointment, modify appointment, my appointments, and appointment records without any Soyoung qualifier. In a multi-skill environment, these phrases can hijack unrelated healthcare or scheduling conversations and send them into a medical-aesthetic booking skill, increasing the chance of unintended access to sensitive appointment operations.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Several first-layer triggers are still broad enough to overlap with normal appointment requests, especially phrases like helping book or a generic request to book an offline consultation. In this skill, overbroad matching is more dangerous than usual because the domain involves medical-aesthetic appointments and potentially sensitive personal scheduling data.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The fallback triggers are generic phrases like '医生排班', '谁在班', and '今天谁坐诊', which can match many ordinary conversations outside the intended Soyoung clinic context. In an agent environment, this can cause unintended routing to this skill, exposing clinic-specific tooling and potentially causing misfires, privacy mistakes, or incorrect responses in unrelated contexts.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: These triggers include broad phrases such as asking what medical-aesthetic project is suitable, recommending a project, or asking what a clinic is like, which can match ordinary health/beauty conversations without clearly constraining to the Soyoung clinic tool. That increases the chance of accidental invocation in unrelated contexts and could route users into a medical-aesthetic workflow that returns branded medical information or pricing they did not explicitly request.

Vague Triggers

High

Confidence: 97% confidence
Finding: The manifest registers highly generic standalone terms like '玻尿酸', '肉毒', '热玛吉', '皮秒', '祛痘', and '痤疮怎么办', which are common medical or cosmetic topics far beyond this specific vendor skill. In a medical-aesthetic context, overly broad activation is more dangerous because it can capture sensitive health-related queries and steer them into a commercial clinic tool, creating risks of misrouting, inappropriate recommendations, and unintended disclosure of user intent around treatments or symptoms.

Vague Triggers

Medium

Confidence: 73% confidence
Finding: The documented high-risk trigger phrases include ambiguous short expressions such as '我的预约' and '取消这个预约' without strong contextual constraints. In an agent environment that maps natural language to actions, overly broad matching for privileged operations can cause unintended entry into approval or booking flows, increasing the risk of accidental or manipulated high-risk actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The uninstall section includes irreversible deletion commands using 'rm -rf' but does not prominently warn about destructive effects or recommend verification steps. Even in documentation, such commands can be copied blindly by operators, leading to unintended deletion of hooks or skill state if paths are mistyped or environment expansion behaves unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal