unisound-med-term

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed medical-term helper that sends user-provided questions to a configured medical LLM API, so users should avoid submitting identifiable patient data unless approved.

Install only if you trust the publisher and the configured hivoice.cn-compatible model endpoint. Use a dedicated app key, avoid overriding the API URL to an untrusted destination, and submit only de-identified or organization-approved medical text.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill sends user-supplied medical question content, and also includes record metadata in the emitted result object, to a remote third-party API endpoint without any consent gate, warning, redaction, or data-classification check. In a medical context, prompts may contain sensitive health or identifying information, so silent transmission to an external service creates a real confidentiality and compliance risk even if the feature is functionally intended.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal