Back to skill

Security audit

Chanke Ops Kit

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only hospital marketing content skill with some scope and medical-compliance caveats, but it does not run code, access credentials, persist, or transmit data.

Install only if you intend to generate authorized content for this hospital or obstetrics department. Review generated medical marketing for local advertising rules, factual substantiation, consent, and patient privacy, especially for case stories and remote-consultation claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill metadata advertises activation on broad phrases such as '产科运营' and '写产科文案', which can match many ordinary writing requests and cause the skill to activate outside a narrowly intended scope. Over-broad triggering increases the chance of unintended context injection, brand-biased steering, or inappropriate use of embedded proprietary reference material when a user did not explicitly request this hospital-specific skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The user-expression mapping contains numerous generic phrases like '写朋友圈', '推文', '话术', and '活动方案' without any requirement that the request be about this specific hospital or authorized brand context. This can make the skill capture unrelated user requests and respond with hospital-specific operational guidance or branded content, creating scope confusion, data leakage risk from internal references, and misapplication of domain-specific instructions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file promotes 5G remote consultation, cloud quality-control platforms, and cross-institution ultrasound image review, but it provides no privacy notice, consent requirement, data-minimization guidance, or handling constraints for sensitive medical data. In a healthcare context, this omission can lead downstream agents or operators to generate content that normalizes transmitting patient information across regions or third parties without adequate safeguards.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.