保险条款分析

Security checks across malware telemetry and agentic risk

Overview

This skill is a local medical insurance document parser; its file reading is expected for the stated task, but users should only provide documents they intend to analyze.

Install this only if you want an agent to extract structured data from medical insurance policy documents. Provide only files you intend the agent to read, treat parsed policy contents as sensitive, install the declared Python dependencies from trusted sources if needed, and manually verify the JSON before relying on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill instructs the agent to read arbitrary user-supplied local files via `scripts/parse_document.py <file_path>`, but no corresponding permissions are declared. This creates an undeclared file-read capability that can bypass least-privilege controls and, if the file path is not constrained, may allow access to unintended local files rather than just insurance documents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal