Back to skill

Security audit

WiseDiag-Checkup

Security checks across malware telemetry and agentic risk

Overview

This skill openly sends user-selected checkup reports to WiseDiag for cloud analysis and saves the resulting report locally, with the main risk being sensitive health data handling rather than hidden or malicious behavior.

Install only if you are comfortable sending checkup reports and any questionnaire or member-profile details to WiseDiag's cloud service using your API key. Use a private output directory for saved reports, and avoid this skill for highly sensitive documents unless WiseDiag's privacy and retention practices are acceptable to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are overly broad, especially the open-ended 'or similar requests' language, which can cause the skill to activate on loosely related medical-report conversations. Because this skill uploads documents to an external cloud service, accidental activation raises the risk of unintended disclosure of sensitive health data and unnecessary third-party processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The submit flow sends medical reports and optional questionnaire/member data to a third-party API without an explicit privacy warning or consent checkpoint. Because this skill handles highly sensitive health information, users may unknowingly transmit regulated personal data off-device and off-platform.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The save command writes analysis results containing sensitive medical information to disk without warning the user that protected health data will be stored locally. This can lead to unintended exposure through shared directories, backups, or weak local access controls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.