Back to skill

Security audit

Redacta

Security checks across malware telemetry and agentic risk

Overview

Redacta behaves like a local medical redaction skill, with the main caution that reversible token maps contain the original sensitive identifiers.

Install only where it is acceptable for the assistant to process the clinical text locally. Review outputs before sharing, do not share the token_map with redacted text unless re-identification is intended, and delete or protect temp files and token maps because they contain or can restore PHI/PII.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README states that the library is 'deterministic only' and that names, postal addresses, and identifying ages are not covered, while the skill metadata claims contextual reasoning and broader de-identification capabilities. In a medical redaction context, such inconsistency can cause users or integrators to misunderstand what protections are actually provided, leading to incomplete de-identification of sensitive clinical text before sharing with AI tools or third parties.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README states the skill may 'trigger automatically' when a user asks to redact or de-identify clinical text, which is a broad activation condition for a tool that handles highly sensitive medical data and includes re-identification capability. In agent environments, over-broad auto-triggering can cause unintended processing of PHI, accidental invocation in the wrong context, or use of the reverse-identification path when the user did not explicitly consent to that workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The tokenMap getter exposes a full reversible mapping from pseudonym tokens back to original sensitive values, including medical identifiers and names. In the context of a medical redaction skill, that mapping is highly sensitive; if it is logged, returned to untrusted components, or stored without strict controls, the pseudonymisation is effectively undone and patient confidentiality can be compromised at scale.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file explicitly promotes restoring original patient identifiers into AI-generated output after pseudonymised processing, but it does not document or enforce any privacy, policy, jurisdictional, or authorization constraints around that re-identification step. In a medical context, this can reintroduce highly sensitive PHI/PII into downstream content, creating a real risk of privacy breach, unauthorized disclosure, or policy non-compliance if the output is shared, logged, or processed by other tools.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This CLI outputs a `token_map` that directly maps redaction tokens back to the original identifiers, which defeats pseudonymisation if the JSON is logged, stored, forwarded, or pasted into another system. In a medical redaction tool, exposing re-identifiable PHI/PII by default is especially dangerous because users may assume the output is safe to share once redacted text is present.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script emits a reversible token_map that contains the original identifiers alongside the redacted text, which can defeat the privacy benefit of pseudonymisation if the JSON output is logged, stored, forwarded, or pasted into another tool. In this skill’s context—handling medical and clinical documents—those originals are highly sensitive, so exposing them by default materially increases the risk of PHI/PII disclosure even though the behavior appears intended for convenience rather than abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.