Back to skill

Security audit

Mental Health Booking

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for booking mental-health telehealth appointments, but it needs review because it handles sensitive health and insurance data, can create real appointments, lacks clear consent safeguards, and contains a script injection bug.

Review before installing. Use only if you trust the publisher and the Klarity endpoint with mental-health booking, contact, DOB, and insurance details. Require an explicit privacy disclosure and final user confirmation before any live booking, prefer dry-run validation where possible, keep BOOKING_API_URL unset unless deliberately testing, and avoid passing untrusted carrier text until the shell quoting issue is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger condition activates on broad mental-health-related mentions, which risks invoking a healthcare booking workflow in casual, ambiguous, or non-booking conversations. In a sensitive medical context, over-triggering can lead to unnecessary collection of health, location, insurance, and contact data before clear user intent is established.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill collects highly sensitive personal and health-adjacent data including name, date of birth, email, phone number, state, and insurance member ID, then transmits it to an external API without an explicit user-facing privacy notice or consent step. In a mental health booking context, this materially increases confidentiality and compliance risk because users may not realize their data is leaving the assistant and being shared with a third-party platform.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API reference documents a live booking endpoint that submits highly sensitive personal and insurance data, yet it provides no explicit warning that calls can create real appointments or that PHI/PII should only be sent with informed user consent. In a conversational agent context, this increases the risk of silent real-world actions, privacy mishandling, and collection/transmission of medical and insurance data without adequate disclosure or confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends an arbitrary JSON booking payload to an external booking endpoint without any built-in consent prompt, redaction, or warning that sensitive health and insurance data may leave the local environment. In a mental-health booking skill, the payload likely contains highly sensitive PHI/PII, so silent transmission materially increases privacy and compliance risk.

External Transmission

Medium
Category
Data Exfiltration
Content
url="${BASE_URL}/api/v1/book"
    [ "$command" = "book-dry" ] && url="${url}?mode=dry_run"

    curl -s -X POST \
      -H "Content-Type: application/json" \
      -d "$json" \
      "$url" | python3 -m json.tool
Confidence
96% confidence
Finding
curl -s -X POST \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.