医学量表检索技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent medical-scale research assistant, but it asks agents to download or screenshot full instruments, store them locally, and publish content to Feishu with weak user-control and retention boundaries.

Install only if you are comfortable granting Feishu document/wiki permissions and allowing the agent to retrieve third-party scale materials. Before use, change the hard-coded download path, require confirmation before downloads/screenshots/uploads, restrict Feishu destinations and sharing settings, and verify that each scale license permits local storage or cloud publication.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The skill explicitly requires acquiring and locally storing full official questionnaire PDFs or screenshots as a gating condition for report generation, even though the core purpose is research and summarization. This creates a disproportionate content-acquisition and retention capability that can facilitate unauthorized copying and redistribution of copyrighted material, especially because the workflow further exposes links, local paths, and uploaded copies in outputs.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The skill states it cannot access paywalled full literature, but later makes obtaining the complete official scale PDF or screenshots mandatory before proceeding. That contradiction encourages operators to treat full-content acquisition as an operational requirement, increasing the chance of bypassing normal access, licensing, or copyright boundaries when a full instrument is not meant to be copied wholesale.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The template explicitly instructs downloading and locally storing the full official scale PDF at a user-specific filesystem path, which goes beyond metadata research and into acquisition/retention of copyrighted source material. In a medical-scale research workflow, this creates legal/compliance risk and can normalize unauthorized collection or redistribution of protected instruments, especially when later embedded into generated documents or knowledge bases.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The section titled '官方量表全文' and related fields support obtaining, previewing, and directing users to download the complete scale content, which materially enables collection and downstream distribution of copyrighted questionnaire text. Because the skill's stated purpose is research/report generation, this broader content-handling capability is unnecessary and increases the chance of copyright infringement, improper sharing, or exposure of restricted proprietary materials in the knowledge base.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The README advertises automatic retrieval of scale information, downloading official PDFs or screenshots, and generating Feishu cloud documents, but it does not clearly warn users that third-party content may be fetched, stored locally, and transmitted to external services. In a medical research context, this can lead to unintentional data handling, privacy exposure, or copyright-sensitive material being uploaded or archived without explicit user awareness.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The quick-start section presents browser automation and information retrieval as routine setup requirements, but does not explain that the skill may autonomously visit external sites and download third-party content. That omission is risky because users may trigger network actions and content acquisition they did not fully expect, especially in regulated or restricted enterprise environments.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to write downloaded files to a fixed local path and then disclose that path in the generated report, without clearly warning the user that local filesystem writes will occur. Unannounced local writes can violate user expectations, create persistence of potentially sensitive or copyrighted content, and reveal workstation-specific path information that need not be exposed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow directs the agent to upload captured questionnaire screenshots to Feishu cloud storage/documents without an explicit privacy, confidentiality, or external-sharing warning. Even if the source is public, uploading copied content to third-party cloud services changes the data-sharing boundary and may create unauthorized redistribution, audit, or retention risks for copyrighted or regulated materials.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The fallback unconditionally defaults unmatched content to QS/ADQS, which is overly broad for a medical research normalization workflow. In this skill's context, that can silently misclassify scales or assessments into the wrong CDISC domain, propagating incorrect standardized outputs into generated reports or knowledge bases and creating downstream data quality and compliance risks.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The example output includes a full user-specific local path (/Users/wangyafei/Downloads/scales/SGRQ_official.pdf), which can leak identifying environment details through generated natural-language reports. If such reports are shared externally or uploaded to Feishu, they may reveal usernames, workstation conventions, or filesystem layout that can aid social engineering or targeted follow-on attacks.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill not only acquires full questionnaire PDFs or screenshots, but also instructs the agent to surface those artifacts via links, local paths, and cloud-hosted images in generated outputs. This is a direct natural-language workflow for copying and redistributing full copyrighted content, making disclosure and downstream reuse much easier than necessary for the stated reporting task.

Ssd 3

Low

Confidence: 93% confidence
Finding: The example leaks concrete local filesystem paths such as /Users/wangyafei/Downloads/scales/..., which can reveal the operator's likely username and aspects of workstation layout. While low severity, this unnecessarily exposes environment details that can aid social engineering, targeted phishing, or tailoring follow-on attacks against the person or host generating the reports.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal