生物年龄计算服务

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to be a health calculator, but its artifacts show under-disclosed external API use, local API-key storage, and unrelated generic remote-tool proxy behavior.

Review this skill carefully before installing. It handles health-related biomarker data and API credentials, appears to send data to an external service, stores secrets locally, and contains unrelated service/proxy code that is broader than a simple biological-age calculator.

SkillSpector (11)

By NVIDIA

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares no permissions while its documented behavior clearly involves reading environment variables, writing configuration data, and making outbound network calls. This under-disclosure is dangerous because it prevents users and hosting platforms from making an informed trust decision about sensitive capabilities, especially when API keys and health-related data may be handled.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The stated purpose is biological age calculation, but the skill also collects and persists API credentials, reads local configuration, performs remote calls to an external service, and exposes an additional reference-range feature. This mismatch is risky because users may disclose medical biomarker data and credentials without realizing the full scope of external transmission and local persistence.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The workflow documentation includes an unrelated gaokao school-search function example inside a health-oriented skill. This kind of cross-domain inconsistency is a supply-chain red flag because it suggests copy-paste reuse, poor review hygiene, or the possibility that the backing code or routing behavior does more than the user expects.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: This file implements a generic remote MCP proxy client rather than a narrowly scoped PhenoAge calculation service. Because callers can supply arbitrary mcp_id, tool_name, and params, the skill can be repurposed to invoke unrelated upstream capabilities, expanding the attack surface and enabling unintended remote actions or data flows inconsistent with the declared medical-use context.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The API client allows invocation of any upstream tool by name via the func header, making this skill a general-purpose capability proxy instead of a dedicated biomedical calculator. In an agent ecosystem, such generic dispatch can be abused to reach powerful upstream functions, bypass user expectations, and trigger unauthorized actions or exfiltration depending on what the remote MCP service exposes.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file’s behavior and identifiers are materially inconsistent with the declared skill purpose. A skill advertised as a biological age calculator instead contains configuration for an unrelated remote service ('小笨羊高考'), including API endpoint and key management, which is a strong indicator of hidden or repurposed functionality and could enable unauthorized outbound access.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill implements API-key persistence and external service integration unrelated to its stated computation-only purpose. In this context, unnecessary credential handling expands the attack surface and creates a path to store secrets locally and use them for hidden service interactions.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The module docstring explicitly describes a different product domain than the declared skill. This contradiction is not merely cosmetic in a security review: it suggests code reuse or deceptive packaging intended to hide unrelated functionality, reducing trust and increasing the likelihood of unauthorized behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to ask the user for an API key and persist it locally without any warning about how the credential will be stored, protected, or reused. This is dangerous because users may provide secrets in a chat context and have them written to a .env file, increasing the risk of accidental exposure through logs, local compromise, backups, or multi-tenant misuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The function writes API keys directly to a local .env file without any confirmation, warning, or secure-storage controls. Persisting secrets by default can expose them to local users, backups, logs, repository mistakes, or later unintended reuse by unrelated components.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The function sends blood biomarker data to an external API via call_api, but this file provides no notice, consent flow, or minimization for transmitting sensitive health information. Because biomarkers are medical data, undisclosed transmission increases privacy and compliance risk if users or calling components are not explicitly informed.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal