personal health manager

Security checks across malware telemetry and agentic risk

Overview

This health manager is not malicious, but it needs review because it handles sensitive medical data with weak privacy and safety guardrails.

Install only if you are comfortable with sensitive health data being stored as plaintext JSON files under ~/.health_data. Share only the minimum medical details needed, verify medication and reminder behavior yourself, delete stored files when no longer needed, and do not rely on this skill for diagnosis, emergency decisions, or locale-specific emergency numbers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill states it will store health information locally in JSON/CSV files, which implies file read/write access, but it does not declare permissions or present clear controls around that capability. In a health-management context, undeclared persistence is especially risky because the data includes highly sensitive medical details, medications, allergies, and emergency contacts that users may not expect to be written to disk.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The storage initializer creates medications.json and reminders.json as JSON objects ({}), but add_medication() and add_reminder() later treat those files as arrays and call append(). This mismatch causes runtime failures and can break medication/reminder persistence, which is security-relevant in a health skill because users may believe critical reminders or medication data were saved when they were not.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The module claims to handle health data storage consistently, but the implementation is internally inconsistent for medications and reminders and will fail under the initialized format. In a personal health manager, this can lead to silent loss of medication schedules or reminders, undermining integrity and availability of safety-critical personal health data.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: The invocation guidance is broad enough to activate on common topics like travel planning, general wellness questions, or exercise advice, which can cause the skill to engage in contexts where users did not intend to disclose medical information. In this skill, over-triggering is more dangerous than usual because it may lead to unnecessary collection of sensitive health data and unqualified symptom or medication guidance in casual conversations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill instructs collection of highly sensitive personal and medical data, including age, gender, medical history, medications, allergies, blood type, and emergency contacts, and later says this is stored locally. It does not clearly warn users before collection/storage or obtain explicit consent, which creates serious privacy and confidentiality risk, especially for regulated or stigmatizing health information.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The description is very broad and does not define clear invocation boundaries, which can cause the agent to activate for loosely related health queries and provide advice outside an intended safe scope. In a health-oriented skill, overbroad routing is more dangerous than in general domains because it may lead to medication, symptom, or travel-health guidance being offered in inappropriate contexts.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This reference provides actionable medical guidance, including medication use and escalation thresholds, but the safety disclaimer is only a brief footer and not prominent near treatment sections. In a personal health assistant context, users may rely on the content as definitive advice, which increases the risk of delayed care, inappropriate self-treatment, or misuse of medications without local professional guidance.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Telling users to 'use epinephrine if available' without clarifying that it should be a prescribed auto-injector for the person, followed by immediate emergency follow-up, is unsafe. In the health-assistant context, this can encourage untrained or improper administration, false reassurance after temporary improvement, or reliance on someone else's medication during anaphylaxis.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: Hard-coding 'Call Emergency (120)' without a locale qualifier is dangerous because users in many regions will dial the wrong number during time-critical emergencies such as stroke, anaphylaxis, or cardiac events. In a broadly scoped personal health manager skill, the audience is likely geographically diverse, so this ambiguity materially raises the chance of harmful delay.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill stores highly sensitive health information in plaintext JSON files under the user's home directory without warning, consent flow, permission hardening, or encryption. In a health-management context, this is especially dangerous because profile, medication, and medical-record data could be exposed to other local users, backups, malware, or accidental sharing, creating significant privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: Health records are written in plaintext JSON under the user's home directory without any user-facing notice, consent flow, access-control hardening, or encryption. Because the skill handles sensitive medical information, local persistent storage increases confidentiality risk from other local users, backups, malware, or accidental disclosure.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: Medication and reminder data are persisted locally in JSON without warning the user that sensitive health and routine information will remain on disk. In the context of a health-management skill, this is more dangerous because medication names, schedules, and reminders can reveal diagnoses, treatment plans, and daily habits.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The user profile is saved directly to disk as plaintext JSON without any user-facing warning or protection measures. Since the profile may include age, gender, and health conditions, exposure of this file could disclose highly sensitive personal and medical attributes; the health-skill context makes this especially privacy-sensitive.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal