Back to skill

Security audit

unisound-diagnosis-review

Security checks across malware telemetry and agentic risk

Overview

This medical review skill appears purpose-aligned, but it can send sensitive clinical record content to external services without enough clear consent, scoping, or endpoint control.

Install only after confirming that your organization permits external LLM and guideline-service processing of the medical content involved. Prefer an approved internal or allowlisted endpoint, avoid passing secrets on the command line, do not use plaintext debug exports with real patient data, and require explicit consent and redaction controls before sending clinical records off-system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities to read environment variables, read and write files, and make network requests, but it does not declare any corresponding permissions. This creates a transparency and control gap: operators may approve or run the skill without understanding that it can access secrets via env vars, send patient data to external services, and persist processed records locally under some flags.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The code posts diagnosis-related data to external services: a remote guideline API and, elsewhere in the flow, an external LLM endpoint. In a medical-diagnosis review skill, transmitting case-derived information off-system without clear disclosure or strict trust boundaries creates a material confidentiality and data-governance risk, especially for regulated health information.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
build_diagnosis_review_prompt embeds medical-record document contents into the LLM prompt, and the LLM client sends that prompt to a remote chat-completions API. This exposes raw clinical text to an external processor, which is highly sensitive in the context of diagnosis auditing and may violate privacy, retention, and cross-border handling requirements if not explicitly controlled.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The payload and CLI allow the caller to supply an arbitrary LLM base URL, which is then used for outbound requests. This enables exfiltration of prompts and medical-record content to attacker-controlled endpoints and turns the skill into an SSRF-like arbitrary outbound connector within the application's network context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
review_diagnosis_payload wires record data into the review path that can invoke the LLM client, but there is no warning, consent gate, or disclosure that medical-record content may be sent externally. In a healthcare context, silent transmission of case content increases compliance and privacy risk even if the remote service is otherwise legitimate.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Diagnosis codes are sent to a remote guideline API without any disclosure to the caller. While less sensitive than full chart text, diagnosis data is still medical information and can reveal patient conditions or workflow details when combined with other context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script can persist preprocessed medical record text to a local debug file via `--save-prepared`, and that text is derived from patient documents (`docs[].content`). In a medical coding review skill, this is highly sensitive PHI, so writing it to disk without strong safeguards, redaction, retention controls, or a prominent warning increases the risk of accidental disclosure through shared workstations, backups, logs, or misconfigured file permissions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The app key is accepted as a command-line argument, which commonly exposes secrets through shell history, process listings, job control systems, and audit tooling. Because this skill processes medical records and calls an internal medical LLM, leakage of the credential could let an attacker invoke the service, access protected workflows, or incur unauthorized use under a trusted identity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.