Back to skill

Security audit

unisound-health-education

Security checks across malware telemetry and agentic risk

Overview

This health-education skill is not malicious, but it should be reviewed because it sends health-related user content to a remote model API and processes broad document types without clear privacy or containment controls.

Install only if you are comfortable sending the provided health topic, keywords, and matched article summaries to the documented remote medical model API. Avoid using real patient identifiers or sensitive medical records unless the publisher provides privacy, retention, and compliance assurances, and process Office/PDF/image uploads only in a controlled environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for office document conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
76% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not office_bin:
        raise PreprocessError("libreoffice/soffice not found for xls conversion.")
    with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir:
        proc = subprocess.run(
            [office_bin, "--headless",
             "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1",
             "--outdir", tmp_dir, str(path)],
Confidence
76% confidence
Finding
proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pass
    pdf_to_text = shutil_which("pdftotext")
    if pdf_to_text:
        proc = subprocess.run(
            [pdf_to_text, "-layout", str(path), "-"],
            stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False,
        )
Confidence
69% confidence
Finding
proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises operational capabilities including file parsing, shell-based document conversion/OCR, network access, and reading user-supplied files, but declares no permissions or trust boundaries. In a healthcare context this is risky because users may provide sensitive medical documents, and the skill also sends content to a remote model API, creating a larger attack and privacy surface than the metadata suggests.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
The skill calls external document-conversion and OCR binaries that are not obviously necessary for a patient health-education entrypoint. In context, this makes the attack surface more concerning because the skill appears to accept broad untrusted document types and pass them to heavyweight parsers, increasing the chance of exploitation or abuse without a strong business need.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation states that execution sends user-provided health content to an internal medical model API and even forces API-based inference, but it does not give a clear privacy warning, consent step, retention statement, or guidance about sensitive data handling. Because inputs may include PDFs, images, and other medical documents, this can expose personal health information to remote services without informed user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends patient health query content and matched article data to a third-party LLM API via `_call_llm` without any visible consent, minimization, or disclosure controls. In a medical-context skill, even seemingly general health topics can reveal sensitive health interests or conditions, so external transmission increases privacy and compliance risk.

Ssd 1

Medium
Confidence
95% confidence
Finding
User-controlled article fields such as title, summary, and keywords are interpolated directly into the LLM prompt, allowing malicious text in article content to act as indirect prompt injection. An attacker could insert instructions that override the intended task, manipulate medical guidance, suppress disclaimers, or cause unsafe/misleading output in a health education context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/run.py:236