Back to skill

Security audit

Health Checkup Recommender

Security checks across malware telemetry and agentic risk

Overview

The core checkup recommendation and QR booking flow is plausible, but the skill also documents sensitive health-context handoff to external human-support systems without enough scoping or disclosure consistency.

Review before installing. The main recommendation and QR features appear purpose-aligned, and the implemented sync sends item IDs to ihaola rather than direct PII, but do not enable or rely on human handoff unless you are comfortable sending profile and health-related conversation context to an external desk system. Ask for a preview of shared fields, explicit opt-in consent, redaction/minimization controls, and retention/access details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file claims a zero-server QR recommendation skill but also instructs operators to register a discoverable long-lived OceanBus service and accept agent-to-agent requests. That materially changes the threat model from a local helper into a network-reachable service, increasing exposure to unsolicited inputs, abuse, and broader data-sharing risks.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The security section asserts that sync_items.js is the only network request, but later sections document additional outbound and inbound network interactions for OceanBus registration, serving, and desk transfer. False or incomplete network-transparency claims are especially dangerous in a health-related skill because reviewers may approve it based on an inaccurate understanding of external communications.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill extends beyond recommendation and QR booking into customer-service escalation with profile and conversation transfer to an external desk system. That is a material expansion of purpose and data sharing, especially for health-adjacent conversations, and increases privacy risk if users did not specifically consent to this separate processing.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README uses a very broad natural-language trigger (e.g. "我想做体检") that overlaps with common user speech, which can cause unintended skill activation in broader chat contexts. In a health-related skill, accidental activation is more sensitive because it can start collecting medical and personal information without a clearly bounded invocation flow.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation examples are framed as ordinary conversation rather than a clearly delimited command, making it ambiguous when the skill should engage. This increases the chance that unrelated user messages are interpreted as consent to begin a medical intake flow, leading to unnecessary collection of sensitive health information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that customer profile data and an AI-generated summary are transferred to a human agent, but it does not describe explicit user notice, opt-in consent, or data-minimization requirements. In a medical-service context, sharing health-related context with another party without clear consent creates privacy, compliance, and trust risks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The tag list includes highly generic trigger phrases such as common health-checkup requests and everyday language that overlap with ordinary user intent. In agent-routing systems, this can cause the skill to activate unintentionally, exposing users to a medical-adjacent workflow, data collection prompts, and third-party booking flows when they did not explicitly choose this provider.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The description presents the service in Chinese-only terms without indicating language choice or fallback, which can lead to users being routed into a medical recommendation experience they cannot fully understand. In a health context, language mismatch increases the chance of misunderstanding screening recommendations, consent language, or booking details.

Ssd 3

Medium
Confidence
90% confidence
Finding
The workflow description indicates that full customer profile information and AI summaries are sent during transfer to human agents, which suggests broad sharing of sensitive personal and health-service context. Even if transport is encrypted, over-sharing to another system or operator increases exposure, especially when the README does not define minimization, retention, or user approval controls.

Ssd 3

Medium
Confidence
93% confidence
Finding
The example JSON handoff payload includes directly identifying data (name, age, city) plus medical-service context and recommended actions for downstream transmission. This demonstrates a concrete pattern of cross-system sharing of sensitive data, and in a health-checkup skill the context makes misuse, leakage, or unauthorized access materially more harmful.

Ssd 3

Medium
Confidence
94% confidence
Finding
The handoff template directs agents to send customer profile fields and a full conversation log to an external desk system. For a health-related workflow, that can expose sensitive personal and medical context beyond what is necessary for support, especially if redaction, minimization, and explicit consent are not enforced.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.