Health Assistant

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it broadly handles medical and mental-health situations while collecting and storing sensitive health data with weak disclosure and safeguards.

Install only if you are comfortable with medical profile data, medications, reminders, and health records being stored locally in plaintext under ~/.health_data. Treat the medical, first-aid, mental-health, veterinary, and drug-regulation content as general information, verify urgent issues with local emergency services or qualified professionals, and review/delete stored files when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (11)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The storage initializer creates medications.json and reminders.json as JSON objects ({}), but add_medication() and add_reminder() later treat those files as lists and call append() on the loaded value. This causes runtime failures or corrupted state when those paths are first used, creating a denial-of-service condition for medication and reminder handling in a health application where reliability matters.

Vague Triggers

High

Confidence: 89% confidence
Finding: The activation criteria are extremely broad, covering generic topics like travel planning, general wellness, and feeling unwell. In a health skill that solicits sensitive medical data and may influence safety-critical advice, over-triggering can cause inappropriate invocation, unnecessary collection of sensitive information, and health guidance in contexts where the user did not intend to engage a medical-style assistant.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill instructs collection of extensive sensitive health data, including medical history, medications, allergies, and emergency-contact details, without a just-in-time privacy warning or consent flow at the point of collection. Because this is highly sensitive health information, collecting it broadly and early increases privacy risk, potential oversharing, and downstream exposure if stored or surfaced elsewhere in the workspace.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill states that sensitive health data will be stored locally in JSON files in the workspace and exported to CSV/JSON, but it does not warn users about workspace exposure, local file access by other tools/users, or the heightened sensitivity of emergency-contact and medical information. This creates a substantial confidentiality risk because plaintext local storage and export materially increase the chance of unintended disclosure.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: Hard-coding a China-specific crisis hotline in a general-purpose mental health section without clear regional qualification can misdirect users in crisis to the wrong service. In a safety-critical context like self-harm support, inaccurate or non-local emergency resources can delay access to effective help and materially increase harm.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The manifest description claims a very broad set of capabilities across sensitive domains including medical advice, mental health counseling, medication guidance, international drug regulations, first aid, and pet health. This overbroad invocation scope can cause the skill to be selected for high-risk health-related requests beyond a narrowly defined, safely governed purpose, increasing the chance of unsafe guidance, overcollection of sensitive health context, or user overreliance on unvalidated advice.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This first-aid reference provides actionable emergency guidance but does not clearly warn up front that emergency numbers, recommended actions, and medication suitability vary by country, age, allergies, medical history, and local protocols. In a health-assistant skill, users may rely on the document during urgent situations and follow mismatched advice or delay appropriate care because they assume the guidance is universally applicable.

Natural-Language Policy Violations

Medium

Confidence: 97% confidence
Finding: The document hard-codes 'Call Emergency (120)' without identifying the jurisdiction or providing a locale-aware alternative. In an emergency, a user outside the region where 120 is valid could call the wrong number or waste critical time, which is especially dangerous given this skill explicitly targets first aid and urgent health scenarios.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This script stores highly sensitive health information, including profile data, medications, reminders, and health records, in plaintext JSON files under the user's home directory. In a health-assistant context, that increases privacy risk because other local users, backups, malware, or unintentionally shared home directories could expose medical data, and the code provides no warning, consent flow, permission hardening, or encryption.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This module stores sensitive health information under the user's home directory in plaintext JSON without any visible disclosure, consent, or protection controls. Because the skill handles medical records, reminders, and profiles, local disk exposure is especially sensitive and can lead to privacy breaches if the device, account, backups, or filesystem permissions are compromised.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The save functions persist health records, medications, reminders, and user profiles directly to local JSON files without any access control, encryption, or user-facing warning. In the context of a health assistant, these writes may include highly sensitive medical and mental health data, making unauthorized local access, backup leakage, or accidental sharing materially harmful.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal