Back to skill

Security audit

Mxyj Heartplus Ecg

Security checks across malware telemetry and agentic risk

Overview

This ECG skill is broadly purpose-aligned, but it handles sensitive health/account data while automatically downloading and running an external native helper with weak user-control boundaries.

Install only if you trust the publisher, the Heartplus service, and the external healthgateway binary source. Expect to provide a phone number, complete SMS or App authorization, allow local native-code execution, and leave phone/auth/report-cache data in the skill directory unless you manually remove it later. Do not share sessionKeys, and avoid using this on a shared or untrusted machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
@staticmethod
    def _health_check(path: Path) -> bool:
        try:
            result = subprocess.run(
                [str(path), "--help"],
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
Confidence
84% confidence
Finding
result = subprocess.run( [str(path), "--help"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, t

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [str(bin_path), subcommand, *args]

        try:
            result = subprocess.run(
                cmd,
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
Confidence
91% confidence
Finding
result = subprocess.run( cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=timeout,

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill advertises ECG notification/analysis/report features, but this file silently downloads and runs a separate local 'security program'. That hidden behavior materially expands capability beyond the apparent user-facing purpose and increases risk because users and reviewers may not expect local code execution as part of a health-management skill.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code downloads an executable from a configured URL, writes it to disk, marks it executable, and later runs it. Dynamic download-and-execute is a classic high-risk pattern because compromise of config, hosting, transport trust, or release process can immediately turn the skill into a remote code execution path on the user's machine.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs collection and processing of sensitive identifiers and authenticators, including mobile phone numbers and SMS verification codes, but does not present a clear privacy/security warning or handling policy at the point of collection. In a healthcare-adjacent context, this increases the risk of over-collection, unsafe retention, user confusion, and account compromise if the data is logged, cached, or exposed.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger set for measurement includes broad symptom phrases like '心慌' and '胸闷', which can overlap with urgent medical situations or general health questions. In a cardiac-health skill, this can cause unsafe routing: the system may default to sending a measurement notification instead of prioritizing emergency guidance or a more appropriate triage response.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document states that report data ordering is written to a local `report_list_cache.json` file and stored per session, but this persistence is not clearly disclosed to users. Because the skill handles ECG reports and identifiers, undisclosed local caching can expose sensitive health metadata through residual files, cross-session access mistakes, or insufficient retention controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file downloads and stores an executable without any visible user warning or confirmation in this code path. Silent installation of executable content reduces informed consent and makes abuse harder for users to detect, especially in a health-related skill where such behavior is not obviously necessary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code executes the downloaded binary via subprocess with no visible user-facing disclosure in this file. In the context of a consumer ECG-management skill, undisclosed local execution is especially sensitive because it exceeds the typical expectations of a data-processing integration and can expose the host to arbitrary code behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.