HIPAA Gap Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a purpose-aligned HIPAA assessment skill with a disclosed external API, but users should treat the submitted compliance details as sensitive.

Installers should use this as a compliance planning aid, not legal advice. Before submitting real organization data, confirm ToolWeb's privacy, retention, and HIPAA/business-associate posture, avoid patient-identifiable PHI unless approved, and use the minimum detail needed for the assessment. VirusTotal is still pending, but static and artifact review found no hidden code or automatic execution.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill is explicitly designed to send organization compliance details and potentially sensitive PHI-related context to an external third-party API, but it does not provide a clear user-facing warning, data handling disclosure, or minimization guidance. In a healthcare context, even metadata about PHI volume, PHI types, incidents, vendors, and safeguards can be highly sensitive and may create regulatory, contractual, and confidentiality exposure if transmitted without informed consent and vendor due diligence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal