HYFCeph

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised HYFCeph workflow, but it needs review because it handles sensitive medical images with saved credentials, remote sharing links, and under-disclosed account-backed modes.

Install only if you are comfortable sending cephalometric images and optional patient names to the HYFCeph portal and receiving online or Feishu report links. Use it on a private machine, avoid patient-identifying details unless necessary, verify the portal URL, and clear or rotate the saved API key when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The client supports `share-url` and `current-case` modes even though the skill description says the public user only sends local images and the server reuses the owner's synced browser session behind the scenes. That mismatch materially broadens capability: a caller can trigger processing of a remote share URL or whatever case is currently open on the owner's session, creating an unexpected path to access or process data outside the user-supplied files.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code requests a PDF upload ticket, uploads the generated PDF back to portal storage, and returns shareable/public URLs, which exceeds the stated local-save behavior. In a medical workflow this can silently exfiltrate patient-derived reports to remote storage and expand disclosure through share links that may be forwarded or insufficiently access-controlled.

Description-Behavior Mismatch

Low

Confidence: 86% confidence
Finding: The client generates QR artifacts for report and Feishu document share URLs that are not disclosed in the manifest. While QR generation itself is not inherently dangerous, turning sensitive report links into easily scannable artifacts increases the chance of accidental disclosure and broadens the effective sharing surface of medical results.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger conditions are overly broad: the skill may activate when a user merely mentions HYFCeph, provides an API key, or sends ceph images, even if they did not clearly consent to remote upload and analysis. In this context, activation can lead to transmission of medical images and use of stored credentials, so accidental invocation materially increases privacy and authorization risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill explicitly uploads local cephalometric images to a remote portal, saves local result artifacts, and generates online report links, but it does not require clear user notice or consent for external transmission and persistence of potentially sensitive medical data. Because these are patient images and derived reports, the lack of transparency and consent creates significant confidentiality and compliance exposure.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The API key is written to `~/.codex/state/hyfceph-auth.json` for reuse, with no visible encryption, permission hardening, or user-facing disclosure in this path. A locally persisted credential can be recovered by other local processes, backup systems, or users on a shared machine and then reused to access the HYFCeph portal and associated data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The client stores last-result state locally, including patient name, report/share URLs, file paths, and related metadata, without any visible warning or minimization. In a medical context this creates a local privacy leak and durable record of sensitive activity that may be accessible to other users, logs, sync tools, or endpoint monitoring systems.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The code reads local cephalometric images, base64-encodes them, and sends them with patient name to a remote server endpoint, but the path contains no explicit consent or warning step. Because these are medical images and identifiers, undisclosed transmission materially increases privacy, compliance, and data-handling risk, especially given the skill already uses the owner's synced server-side session.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The prompt explicitly instructs the system to persist a validated API key locally and reuse it across new conversations, creating a cross-session secret retention risk. In this skill's context, that is especially dangerous because the key can enable access to a third-party medical workflow and may cause one user's credential to be reused for another user's request if isolation is imperfect.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: hyfceph description: Run the HYFCeph cephalometric workflow through the HYFCeph portal with an API key by uploading one or two local lateral ceph images. The public user only sends images; the server reuses the owner's synced browser session behind the scenes. Save a local result JSON, write an annotated PNG, and return supported cephalometric metrics or overlap traces. Use when the user wants HYFCeph analysis, mentions HYFCeph, provides an API key, or sends ceph images. --- # HYFCeph
Confidence: 97% confidence
Finding: write an annotated PNG, and return supported cephalometric metrics or overlap traces. Use when the user wants HYFCeph analysis, mentions HYFCeph, provides an API key, or sends ceph images. --- # HYFC

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal