Back to skill

Security audit

WiseDiag-Report

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends user-selected medical reports or report URLs to WiseDiag for cloud analysis and saves the result locally, with privacy risk disclosed but no hidden behavior found.

Install only if you are comfortable sending medical reports, image URLs, and questions to WiseDiag's cloud service. Remove personal identifiers where possible, treat saved Markdown outputs as sensitive health records, and prefer a temporary environment variable or secret manager instead of putting the API key directly in shell startup files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly relies on sensitive capabilities: reading an API key from the environment, making external network requests, and writing result files locally, yet it does not declare permissions. This creates a transparency and policy-enforcement gap where an agent or user may invoke a skill with broader access than is explicitly disclosed, which is especially concerning given the handling of medical data.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger language is broad enough to match ordinary medical-information questions such as 'what do these results mean' without clearly requiring an image, URL, or file to be present. That can cause over-invocation of a networked third-party medical-analysis skill, leading to unintended routing of user requests and increased chances of sensitive health information being sent to an external service when the user did not explicitly choose that tool.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
In file-upload mode, the skill transmits medical report files and user questions to an external cloud API without an explicit privacy warning or consent step at the time of transmission. Because these files can contain highly sensitive health information, users may unintentionally disclose regulated or confidential data to a third party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In URL mode, the skill sends user-supplied image URLs and questions to an external API without an explicit warning that a third party will access and process the referenced medical content. This creates a privacy risk because users may not realize their report data and prompts are being shared outside the local environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.