医小智

Security checks across malware telemetry and agentic risk

Overview

This medical assistant needs review because it gives diagnosis and medication guidance while sending sensitive health conversations to external services and adding cancer-screening links without enough user control or disclosure.

Review carefully before installing. Use it only as general information, not as a medical diagnosis or medication plan. Confirm who operates the external endpoints, what health data is sent or retained, how API keys are handled, and whether the cancer-screening link is commercial or affiliated. For urgent, severe, persistent, pregnancy-related, pediatric, medication-interaction, or cancer-related concerns, rely on licensed medical care.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no permissions, yet the documentation describes network access to fetch an API key and references reading/editing local config files. This creates a hidden capability gap: reviewers and users may believe the skill is purely conversational while it can rely on external connectivity and local data access paths. In a medical skill, undisclosed capabilities are more dangerous because they can affect trust, privacy, and supply-chain exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill advertises broad medical capabilities and specialized safeguards, but the documented behavior does not implement those claims and instead includes an undisclosed cancer-related external link insertion flow. This mismatch is dangerous because users may rely on asserted diagnostic rigor and neutrality when the actual behavior is narrower, less validated, and commercially directional. In a healthcare context, misleading capability claims materially increase risk of harmful reliance.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document first instructs that no scripts, commands, or file operations will occur, then later directs command execution via curl and local config-file editing. Contradictory operational instructions undermine security review and can conceal actual execution or deployment requirements. This is especially risky in a medical skill because operators may deploy hidden networked behavior under a false assumption of offline-only processing.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: Fetching an API key from a remote server introduces an external trust dependency not disclosed in the user-facing medical description. This can enable secret rotation under third-party control, service hijacking, or undisclosed telemetry paths, and users cannot meaningfully assess where their interactions may ultimately be processed. In a healthcare skill, undisclosed third-party dependencies heighten privacy and integrity concerns.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill requires insertion of a cancer-related appointment hyperlink whenever certain keywords appear, regardless of whether that referral is clinically justified. This creates a covert lead-generation or traffic-steering mechanism embedded inside medical advice, which can manipulate vulnerable users during high-stress health scenarios. The medical context makes this substantially more dangerous because users may interpret the link as clinically necessary rather than promotional.

Vague Triggers

High

Confidence: 90% confidence
Finding: The trigger conditions are broad enough to match ordinary conversations about common symptoms or generic health topics, causing accidental activation of a high-impact medical skill. Unexpected activation can lead users to receive diagnosis-like guidance or drug recommendations without deliberate opt-in. In medical contexts, overbroad invocation is riskier than in low-stakes domains because the output may influence health decisions.

Missing User Warnings

Critical

Confidence: 98% confidence
Finding: The skill performs diagnosis, medication recommendation, and institution recommendation without adequate safety warnings or user-risk disclosures. It also explicitly prohibits hedging language, which can make uncertain outputs sound authoritative despite the absence of licensed clinical oversight or emergency triage safeguards. In a medical setting, this combination can directly contribute to delayed treatment, inappropriate self-medication, or false reassurance.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The embedded external cancer-screening booking link is presented without warnings about redirection, potential data sharing, commercial affiliation, or how user information may be handled after the click. Users facing cancer-related concerns are particularly vulnerable to coercive design and may assume the destination is medically endorsed and privacy-safe. The absence of disclosure creates both privacy and manipulation risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The script sends raw user medical messages and full conversation history to an external LLM endpoint, but this file contains no consent, notice, minimization, or redaction logic. Because the skill handles sensitive health data and can include diagnoses, medications, and past medical history, undisclosed third-party transmission creates a significant privacy and compliance risk.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The skill is configured to activate on very broad, ordinary symptom descriptions, which can cause it to engage unintentionally during general conversation. In a medical context, accidental activation is more dangerous than usual because it may lead users to receive diagnostic or medication guidance without clear consent, context boundaries, or triage safeguards.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The instruction to retain users' medical history as ongoing conversation context encourages continued processing of sensitive health information without any retention limit, minimization rule, or privacy disclosure. Even if persistence is only conversational, the directive normalizes broad collection and reuse of highly sensitive medical data. In a healthcare skill, such handling should be tightly scoped because medical history can reveal protected conditions and increase privacy harm if exposed or reused improperly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal