Back to skill

Security audit

Mediwise Health Suite

Security checks across malware telemetry and agentic risk

Overview

This health skill is mostly purpose-aligned, but it handles very sensitive health data with under-scoped multi-user access controls and some under-disclosed network and file-serving behavior.

Install only in an isolated health workspace and avoid shared/group-bot deployments unless owner_id is enforced fail-closed. Treat the local databases, attachments, backups, reports, and wearable configs as sensitive medical data. Do not enter passwords or API keys in chat, avoid public binding of the attachment server, and enable external services such as DDInter, vision/LLM providers, embeddings, USDA, backend APIs, or wearable sync only after confirming what data will leave the machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (86)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except FileNotFoundError:
        return {"status": "error", "error": 'google-chrome not found'}
    except subprocess.TimeoutExpired:
        subprocess.run(['pkill', '-f', 'chrome.*headless'], capture_output=True)
        return {"status": "error", "error": 'Chrome print-to-pdf timed out'}

    if result.returncode != 0 or not os.path.isfile(output_path):
Confidence
93% confidence
Finding
subprocess.run(['pkill', '-f', 'chrome.*headless'], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"status": "error", "error": "google-chrome not found"}
    except subprocess.TimeoutExpired:
        # Kill any lingering chrome processes from this run
        subprocess.run(["pkill", "-f", "chrome.*headless"], capture_output=True)
        return {"status": "error", "error": "Chrome screenshot timed out"}

    if not os.path.isfile(output_path):
Confidence
95% confidence
Finding
subprocess.run(["pkill", "-f", "chrome.*headless"], capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises significant capabilities including environment-variable use, filesystem access, shell commands, and optional network access, but does not declare permissions. This undermines the trust model because users and hosting platforms cannot accurately evaluate the blast radius of a health-data skill before installation, especially given the sensitivity of medical and family records.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description frames the skill as a mostly local family health tool, but the documented behavior is substantially broader: OCR/LLM ingestion, report generation, local HTTP file serving, reminders, exports, and multiple external integrations. For a skill handling highly sensitive health information, this mismatch can cause users to authorize or deploy it without understanding that it may expose records through networked, file-serving, or export features.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The changelog makes a strong security/privacy claim that all personal health data remains local with no cloud upload, but other entries document external wearable integrations and configurable third-party vision providers. In a health-management skill handling sensitive medical data, this mismatch can mislead users into sharing protected data under false assumptions about data flow and storage.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The subprocess is launched with the full inherited process environment via `{ ...process.env, PYTHONPATH: HEALTH_SCRIPTS_DIR }`, which can leak secrets such as API keys, tokens, database credentials, or proxy settings into child Python processes. In a health-related skill handling sensitive data, unnecessary environment propagation broadens the blast radius if a child script is compromised, logs its environment, or loads attacker-influenced modules/configuration.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script's default scope is described as local/offline-first, but it can transmit user food queries and an API credential to a third-party USDA service. In a health-management context, even food-search terms can reveal dietary habits or medical concerns, so silent network access expands the privacy and data-exposure surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script accepts an --owner-id parameter and even imports verify_member_ownership, but none of the command handlers call an authorization check before reading or modifying nutrition goals and intake data for an arbitrary member_id. In a family health management context, this allows unauthorized access to or tampering with another member's sensitive dietary and health-related records, which is especially risky because the data concerns personal health information.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The guide claims sensitive health information will not leak to other conversations, yet later instructs users to integrate with external messaging platforms and optional external vision/cloud models. Those claims can mislead users into overtrusting the privacy posture and sharing medical data without understanding that third-party services and chat platforms may receive or store it.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document states that every query and write must include `--owner-id`, but many example commands omit it. In a multi-tenant family health context, this inconsistency can lead implementers or agents to call scripts without tenant scoping, risking unauthorized access to or modification of another user's sensitive health records and alerts.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
When owner_id is omitted, the code explicitly falls back to a single-user mode where all local data is accessible. In a health-management context handling sensitive family/member records, this creates an authorization bypass risk that can expose all locally stored health data to callers who do not supply proper ownership context.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill instructs nightly transfer of sensitive health data into an external DREAM skill for deeper analysis, expanding processing beyond the declared tracker itself. In a medical context, cross-skill data sharing materially increases privacy and data-governance risk, especially if user consent, data minimization, retention, and isolation guarantees are not explicit.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The file declares that every script call must include --owner-id because it is the core tenant-isolation control, yet multiple example commands omit it. In a multi-user health-record system, inconsistent propagation of owner context can cause cross-user data reads/writes, which is especially dangerous because the data includes highly sensitive medical information.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This file exposes attachment add/get/delete and URL-generation operations for files containing medical data, yet the manifest does not disclose file handling or URL-serving behavior. In a health context, undisclosed attachment retrieval and temporary URL generation materially increase the risk of sensitive-record exposure, especially because this entry point forwards user-supplied host, port, source_path, and object identifiers directly to backend scripts.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document explicitly instructs the agent to query external sources such as DDInter, openFDA, and general web search for medication-safety answers, which expands behavior beyond a primarily local SQLite health-management skill. In a health context, this creates privacy and scope risks because user medication data or query context may be sent to third-party services without clear consent, configuration gating, or disclosure.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
Requiring referral to online clinical calculators extends the skill from local health management into routine use of third-party web tools. Although lower risk than direct data export, it can still expose sensitive health parameters to external sites and conflicts with the product's locally focused expectations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This module starts an HTTP server and exposes attachment contents over signed URLs, which meaningfully expands the attack surface from local file/database management into network-accessible health-data serving. In a family health tracker handling sensitive medical files, any network exposure raises confidentiality risk, especially because the companion server implementation also leaks its signing secret at startup.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The report-generation path performs an additional side effect by persisting daily snapshots, even though the function is presented as generating an HTML report. In a health-management context, silently storing extra copies of sensitive medical data increases privacy and data-retention risk, and can violate least surprise, consent, or minimization expectations.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The file claims to generate a self-contained HTML report, but the template loads Chart.js from a remote CDN. For a report containing health data, this undermines privacy and integrity expectations because opening the file can cause network access to a third party and introduces a supply-chain dependency.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The parser attempts to send raw medical report text to an external LLM via `api_client.call_llm` before falling back locally. Because the skill handles sensitive health data and the product description emphasizes local SQLite by default with cloud features only after explicit setup, this creates a privacy and data-exfiltration risk if networked LLM access is available without explicit consent or configuration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The ability to kill system processes is not justified for generating a family health report and can disrupt other workloads on the machine. Because the pattern is broad and targets any matching headless Chrome command line, the skill context makes this more dangerous in multi-tenant or desktop environments.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The helper unconditionally sends query strings to the external DDInter service over the network, which conflicts with the stated 'local SQLite by default; optional cloud features require explicit setup' behavior. In a health app, even drug names can reveal sensitive medical conditions, so undisclosed outbound transmission creates a privacy and trust risk.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This flow retrieves a member's active medications from local/API-backed records and transmits each medication name to DDInter for resolution and interaction checks. That exposes sensitive health data for a specific member to a third party without an explicit setup gate or point-of-use consent, which is especially risky in a family health management context handling protected medical information.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The APIProvider sends raw input texts to a third-party embedding service, and in this skill those texts may contain health-related or other sensitive personal data. Even if cloud use is described as optional at the product level, this code path creates a real data exfiltration risk whenever an API key is configured, especially because there is no in-band consent, redaction, or sensitivity check before transmission.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
`get_daily_briefing()` returns all non-deleted members when both `member_id` and `owner_id` are absent, which exposes family members' reminders and health tips without any ownership check. In a health-management skill handling sensitive medical data, this is a direct authorization failure that can leak private health information across users.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.