Back to skill

Security audit

za-healthguide

Security checks across malware telemetry and agentic risk

Overview

This insurance guidance skill appears purpose-aligned, but it handles sensitive health-insurance questions and sends them to external services without clear user notice or consent.

Review before installing. Use only non-identifying health details, assume product and disease query terms may be sent to ZhongAn iHealth and search providers, and ask the publisher to disclose data handling, add consent/redaction rules, and replace the embedded API key with a managed credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill explicitly instructs use of `web_search` and a Python script, which are code/network-capable actions, but no permissions are declared. This creates a hidden capability gap: reviewers and runtime policy may underestimate the skill's ability to send user-derived health/insurance queries externally, increasing risk of unauthorized data exposure and policy bypass.

Tp4

High
Category
MCP Tool Poisoning
Confidence
80% confidence
Finding
The skill claims broad advisory and comparison capabilities, including underwriting analysis across insurers, but the documented behavior relies heavily on limited product knowledge lookup and web search. This mismatch is dangerous because users may place undue trust in medical-insurance guidance that the skill is not actually equipped to provide, leading to misleading coverage conclusions or improper handling of sensitive disclosures.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger scope is very broad for a sensitive domain involving health history, underwriting, and insurance recommendations. Over-broad activation can cause the skill to engage on borderline or inappropriate prompts, unnecessarily collecting or processing medical details and issuing regulated financial/insurance guidance outside intended boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to use external web searches to answer product questions, but it does not require notifying the user that query contents will be sent to a third-party search provider. In an insurance underwriting context, user prompts are likely to include sensitive health conditions, age, and insurance needs, so silent external queries can expose personal or health-related information beyond the platform boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The provided search templates operationalize external searches without any privacy guardrails, making it likely that an agent will directly send insurance and health-related context to an external service. Because this skill is specifically for substandard-risk insurance advice involving pre-existing conditions, the omitted warning is more dangerous than in a generic shopping skill due to the sensitivity of the likely query content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends user-supplied query text and product information to an external HTTPS service without any consent, notice, or data-classification guardrails. In this skill context, users may ask about pre-existing diseases or abnormal health indicators, so the transmitted content can include sensitive health-related information; that makes silent exfiltration to a third party materially risky even if the endpoint is the intended backend.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
A hard-coded API key is embedded directly in the script, which exposes the credential to anyone with source access and makes accidental leakage through repositories, logs, or package distribution likely. If reused or still valid, the key could be abused to access the backend service, consume quotas, scrape product data, or impersonate legitimate traffic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.