Back to skill

Security audit

TCM Prescription API

Security checks across malware telemetry and agentic risk

Overview

This prescription-search skill appears purpose-aligned, but it sends health-related symptom text to a raw-IP external service and documents unsafe API-key-in-URL flows.

Review before installing. Use only if you trust the API operator, avoid entering identifying medical details, and prefer header-based API-key use over any documented URL query parameter flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly directs the agent to use shell commands and outbound network access (`curl`, `python3`) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a host system may load the skill without understanding that it can transmit user queries and interact with external infrastructure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to send symptom data to an external API for recommendation, but it does not disclose that these inputs may contain sensitive health information. Health-related data is privacy-sensitive, and omission of a warning or consent guidance can lead to unintended transmission of personal medical information to a third-party service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly permits passing the API key as a query parameter, which causes the credential to be embedded in URLs. URLs are commonly logged by browsers, reverse proxies, load balancers, analytics systems, and server access logs, so this materially increases the chance of accidental credential disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The API key status endpoint requires the full secret to be sent in the URL query string, creating a direct credential-exposure path. Because this is a dedicated key-management endpoint, users are encouraged to repeatedly disclose live secrets in URLs, amplifying leakage risk through logs, monitoring, browser history, and intermediary infrastructure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The recommend flow transmits user-provided symptom data, which is health-related and potentially sensitive, to a remote third-party API. Although this appears to be the intended function of the skill, the script provides no explicit privacy notice, consent prompt, retention guidance, or minimization controls before sending the data off-host.

External Transmission

Medium
Category
Data Exfiltration
Content
### 1. 搜索方剂

```bash
curl -s "https://119.91.226.122/api/prescriptions/search?q=桂枝&page=1&limit=20"
```

参数说明:
Confidence
89% confidence
Finding
curl -s "https://119.91.226.122/api/prescriptions/search?q=桂枝&page=1&limit=20" ``` 参数说明: - `q` 或 `keyword`:搜索关键词(方剂名称、药物组成等) - `category`:按分类筛选(如"解表剂"、"清热剂") - `page`:页码,默认 1 - `limit` 或 `pageSize`:每

External Transmission

Medium
Category
Data Exfiltration
Content
" 2>/dev/null)

  echo ">>> 症状推荐方剂: ${symptoms_input}"
  curl -s -X POST "${API_BASE}/prescriptions/recommend" \
    -H "Content-Type: application/json" \
    -H "X-API-Key: $API_KEY" \
    -d "{\"symptoms\": ${symptoms_json}}" | python3 -m json.tool
Confidence
91% confidence
Finding
curl -s -X POST "${API_BASE}/prescriptions/recommend" \ -H "Content-Type: application/json" \ -H "X-API-Key: $API_KEY" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.