DRG/DIP 医保分组计算工具 — 支持 ICD 编码搜索、DRG/DIP 分组、医保结算和 CC/MCC 查询。

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MedGroup medical grouping integration, with the main caution being careful handling of the required API key and any patient-related data.

Install only if you trust the MedGroup service. Use a scoped, revocable API key, prefer client secret storage over putting the key directly in the MCP URL, avoid sharing configs or screenshots containing the key, and use synthetic or de-identified data unless the provider’s privacy and compliance terms meet your requirements.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill’s generic MCP template embeds the MedGroup API key directly in the SSE URL query string (`?api_key=...`). Secrets placed in URLs are commonly exposed through client logs, browser history, config exports, telemetry, reverse proxies, and referrer-like handling, which makes accidental credential disclosure much more likely than using dedicated secret storage or headers. In this skill’s context, the risk is elevated because the key grants access to an external medical grouping service and the workflow may involve regulated healthcare-related data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal