Wihy Health

Security checks across malware telemetry and agentic risk

Overview

This health fact-checking skill is purpose-aligned and instruction-only, but users should know their health questions are sent to WIHY's external API.

Install only if you are comfortable sending health and nutrition questions to WIHY's service. Avoid including names, medical record details, account identifiers, or highly personal medical history unless you trust the provider and its privacy practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs the agent to send the user's health or nutrition question to a third-party endpoint without any user notice, consent flow, or data-minimization guidance. Because health questions can contain sensitive personal or medical information, this creates a real privacy risk even if the API is legitimate and the transmission uses HTTPS.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash SESSION_ID=$(python3 -c "import uuid; print(uuid.uuid4())") curl -s -X POST https://ml.wihy.ai/ask \ -H "Content-Type: application/json" \ -d "{ \"message\": \"<USER_QUESTION_HERE>\",
Confidence: 92% confidence
Finding: curl -s -X POST https://ml.wihy.ai/ask \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal