Back to skill

Security audit

Xiwang Medical Content

Security checks across malware telemetry and agentic risk

Overview

This is a text-only medical marketing skill, but it can generate public health content and treatment-style guidance without strong safety warnings or clinical boundaries.

Review carefully before installing. The skill does not appear to perform unsafe technical actions, but it is designed to generate medical-adjacent promotional content from bundled claims. Use it only for informational drafting with human medical, legal, and advertising compliance review before publication, and do not rely on it for diagnosis, treatment, or self-care instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation scope is ambiguous because the description combines explicit trigger phrases with open-ended free-form keyword retrieval, but does not define clear boundaries for when the skill should or should not activate. That ambiguity increases the chance that unrelated prompts are routed into a workflow that generates medical-adjacent scientific claims and branded promotional content, raising compliance and safety risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation scope is ambiguous because the description combines explicit trigger phrases with open-ended free-form keyword retrieval, but does not define clear boundaries for when the skill should or should not activate. That ambiguity increases the chance that unrelated prompts are routed into a workflow that generates medical-adjacent scientific claims and branded promotional content, raising compliance and safety risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill generates medical-related research summaries and public-facing health content but does not provide a clear warning that outputs are informational only and not medical advice. In this context, users may over-trust the generated content—especially because it cites studies, institutions, and data—leading to inappropriate self-diagnosis, treatment decisions, or reliance on promotional claims presented as health guidance.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file presents extensive disease-treatment, symptom-relief, and clinical-efficacy claims across cancer, thyroid disease, insomnia, cardiovascular health, and other conditions without any visible disclaimer that the material is informational only and not medical advice. In a skill designed to retrieve research and auto-generate public-facing medical content, this omission materially increases the risk that users will treat promotional or low-evidence summaries as actionable healthcare guidance, potentially delaying proper diagnosis or treatment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file gives disease-specific treatment guidance, target points, frequency, and course length for self-administered heat-based therapy, but it does not include warnings about burns, delayed medical care, contraindications, or the need for licensed clinical supervision. In the context of a skill designed to retrieve medical research content and generate public-facing copy, these instructions can be surfaced to end users as actionable medical advice, increasing the risk of unsafe self-treatment and misleading health claims.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.