unisound-glucose-monitor-record

Security checks across malware telemetry and agentic risk

Overview

This glucose-recording skill handles sensitive health data and appears to send it to a remote model/API while also accepting broad document inputs, without enough clear privacy scoping for a basic logging tool.

Install only after confirming you are comfortable sending glucose values, timestamps, notes, and possibly full document contents to the model/API provider. Prefer local-only or structured-input use, avoid uploading broad medical documents unless necessary, and verify the publisher documents retention, access controls, and consent handling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not office_bin: raise PreprocessError("libreoffice/soffice not found for office document conversion.") with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir: proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )
Confidence: 75% confidence
Finding: proc = subprocess.run( [office_bin, "--headless", "--convert-to", "txt:Text", "--outdir", tmp_dir, str(path)], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if not office_bin: raise PreprocessError("libreoffice/soffice not found for xls conversion.") with tempfile.TemporaryDirectory(prefix="med-skill-preprocess-") as tmp_dir: proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],
Confidence: 75% confidence
Finding: proc = subprocess.run( [office_bin, "--headless", "--convert-to", "csv:Text - txt - csv (StarCalc):44,34,76,1", "--outdir", tmp_dir, str(path)],

subprocess module call

Medium

Category: Dangerous Code Execution
Content: pass pdf_to_text = shutil_which("pdftotext") if pdf_to_text: proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )
Confidence: 68% confidence
Finding: proc = subprocess.run( [pdf_to_text, "-layout", str(path), "-"], stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False, )

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The output contract says the structured data is local but the text field is generated by an internal medical model for interpretation, analysis, and reminders. That turns a simple recording skill into a medical-inference workflow and may expose protected health information to a remote model without sufficiently explicit notice or consent.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: Supporting PDF, Office documents, spreadsheets, and OCR images greatly exceeds the needs of a basic glucose-record skill and broadens the parser and toolchain attack surface. It also raises the likelihood of ingesting unrelated sensitive content from documents or images that users did not intend to submit for model processing.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill requires external networked LLM inference for a task described as basic record construction, meaning even routine patient entries may be transmitted off-device or off-platform. In a healthcare context, unnecessary remote processing of medical data materially increases privacy, compliance, and data-governance risk.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The file implements a generic ingestion pipeline for many document and image formats, which exceeds the stated purpose of a glucose-monitor record skill. This unnecessary capability expansion increases the skill's attack surface, privacy exposure, and likelihood of handling risky content types without a clear functional justification.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill invokes external office, PDF, and OCR binaries that are not obviously required for a basic glucose-record function. This substantially broadens the trusted computing base and introduces parser-level exploit risk from complex third-party tools handling untrusted files.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill transmits patient glucose records to an external model API despite being described as a basic record capability. In a medical context, glucose values, timestamps, and notes are sensitive health data, so unexpected off-device transmission materially increases privacy, compliance, and third-party exposure risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation indicates medical record content may be sent to an internal model API, but it does not clearly warn about privacy implications, data sharing, or handling of sensitive health information. In a patient-facing medical skill, this omission can lead users to unknowingly disclose protected health data to remote services.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill sends blood glucose records and related notes to a remote API without any user-facing disclosure, consent flow, or warning. In a healthcare setting this is particularly dangerous because the data can reveal medical status and routines, and users may reasonably expect a 'recording' skill to process data locally unless told otherwise.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal