Security audit

Work Injury Claim

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate work-injury claim helper, but it handles sensitive medical and identity data while overstating some legal coverage and lacking privacy safeguards.

Install only if you are comfortable giving the skill sensitive identity, employment, salary, and medical information. Use a private output folder, avoid uploading unnecessary records, verify all deadlines and benefit calculations with local authorities or a lawyer, and treat generated documents as drafts rather than final legal filings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill advertises and invokes local file read/write capabilities via reference loading and document-generation scripts, but it does not declare any permissions or boundaries for those capabilities. In an agent environment, undeclared filesystem access reduces transparency and can lead to unintended access to local files or uncontrolled writing of generated documents, especially when handling user-supplied case data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims comprehensive nationwide legal analysis, eligibility determination, regional rule lookup, and compensation calculation, but the described implementation reportedly only fills templates, uses limited hardcoded regional data, and omits major claim types and benefit calculations. In a legal/benefits context, this mismatch is security-relevant because users may rely on incomplete or incorrect outputs for deadlines, filings, and compensation claims, causing financial loss or forfeiture of rights.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The documentation and JSON example use the field name 'resigned', but the CLI parser defines '--resided' and the argument-loading logic checks for 'resigned'. As a result, a user-provided departure status from the command line may never reach compensation logic, causing omission of resignation-dependent benefits and producing materially incorrect legal/financial documents.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The generated application text hardcodes the article item number so that only injury type '1' gets a correct '第…项' citation, while other injury types produce an empty or incorrect item reference. In a legal-document generation skill, this can misstate the claimed statutory basis, undermining credibility, delaying claims, or causing users to submit defective filings.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly asks users to upload medical records, diagnostic certificates, and work-injury decision documents, which are highly sensitive personal and health records, but it provides no specific privacy notice, retention policy, minimization guidance, or handling restrictions. Because the skill also generates documents and uses file operations, the absence of data-handling safeguards increases the risk of overcollection, improper storage, or disclosure of sensitive medical and identity information.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script writes highly sensitive identity, employment, and medical information directly to disk in plaintext Markdown files without any warning, confirmation, permission hardening, or guidance on secure storage. In the context of a work-injury claims skill, this data is especially sensitive and could expose users to privacy harm, identity theft, or unauthorized disclosure if written to shared directories, synced folders, or logs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal