医小智Pro诊断助手

Security checks across malware telemetry and agentic risk

Overview

This medical assistant handles sensitive health details through external services and includes under-disclosed referral and credential behaviors that users should review carefully before installing.

Install only if you are comfortable with sensitive health information being processed by the configured external model service and with the cancer-related referral link behavior. Prefer a version that narrows activation, asks for explicit consent before collecting or sending medical details, clearly identifies data recipients and retention practices, and avoids definitive diagnosis or medication instructions that discourage professional care.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The instructions add mandatory cancer referral-link behavior and remote API-key retrieval that exceed the stated scope of a simple diagnostic/reporting assistant. Scope expansion without clear disclosure increases the chance of hidden network activity, sensitive-data transfer, and user manipulation in a high-trust healthcare workflow.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill forces insertion of an external cancer-screening appointment link whenever cancer-related terms appear, creating a built-in referral mechanism that can steer vulnerable users to a third-party service. In a medical setting, this is dangerous because it mixes diagnosis with undisclosed commercial redirection and may exploit fear around cancer to drive clicks or transactions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Automatic remote API-key fetching via curl introduces unnecessary network dependency and secret-handling risk unrelated to the visible diagnostic purpose. If implemented, it could expose the environment to credential interception, endpoint compromise, or unauthorized outbound connectivity from a supposedly simple skill.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The skill explicitly claims it will not call scripts, execute commands, or read/write files, yet later instructs runtime curl usage and local config editing. This internal contradiction is dangerous because it impedes reliable review and can conceal operational behaviors that users and defenders would otherwise scrutinize, especially where medical data and credentials are involved.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are very broad symptom descriptions that overlap with ordinary conversation, which can cause the medical skill to activate unintentionally. In a healthcare context, accidental activation is more dangerous because users may disclose sensitive health information or receive medical-style guidance without clearly intending to engage a diagnostic tool.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The README describes collecting detailed symptom, medical history, and medication information while also configuring external API endpoints, but it does not clearly warn users that sensitive health data may be transmitted to third-party services. This is particularly risky in a medical assistant because the data involved is highly sensitive, and users may not realize their disclosures are leaving the local environment.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are very broad and can activate on ordinary health-related conversation, increasing the likelihood that users are funneled into this skill unexpectedly. In this case, overbroad triggering is more dangerous because the skill contains hidden referral behavior and external-processing implications, so accidental activation can expose sensitive medical context or influence users without clear intent.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documentation describes remote API-key retrieval and implied network access without clear disclosure of external connectivity or user-data handling. In a healthcare assistant, omission of network/privacy notice is particularly risky because symptom descriptions and history may constitute sensitive personal health information sent to third parties.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The manifest describes broad medical-diagnosis functionality and generic symptom-based triggers, but it does not define narrow activation constraints or clear boundaries for when the skill should be invoked. In a medical context, over-broad invocation increases the chance the skill is triggered for general health conversation and provides diagnostic-style output without sufficient user intent or safety gating, which can lead to unsafe or misleading advice.

Natural-Language Policy Violations

Medium

Confidence: 74% confidence
Finding: Presenting all metadata only in Chinese without declaring locale restrictions can cause the skill to be surfaced to users or systems that do not understand its scope, limitations, or requirements. In a medical assistant, this raises the risk of misactivation, misunderstanding of safety-critical behavior, and misuse by users who cannot accurately interpret the diagnostic framing.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The script sends user medical conversations, including symptoms and medical history, to a third-party LLM API without any disclosure, consent flow, or minimization controls. In a healthcare context this is especially sensitive because the transmitted content can contain health data and potentially identifying information, creating privacy, regulatory, and trust risks.

Natural-Language Policy Violations

Critical

Confidence: 99% confidence
Finding: The system prompt explicitly requires definitive diagnosis and medication recommendations while banning uncertainty language such as 'possible' or 'suggest further evaluation.' For a medical assistant, this encourages overconfident output, suppresses appropriate triage and referral behavior, and can directly lead to harmful self-medication, missed emergencies, or delayed treatment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal