禾连健康-体检预约助手

Security checks across malware telemetry and agentic risk

Overview

This health-check booking skill is mostly purpose-related, but it handles and stores identity and payment data in risky ways that need review before installation.

Install only if you trust the publisher and are comfortable with this skill handling real health-booking and payment flows. Before use, require changes that remove plaintext hidden storage of patient and bank-card data, stop logging payment credentials and SMS codes, mask displayed saved records, and provide explicit consent plus deletion controls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill instructs the agent to read and persist highly sensitive personal data, including identity and contact information, in hidden desktop files for reuse. Hidden local storage of PII is dangerous because it bypasses normal consent expectations, increases exposure to local compromise, and creates long-lived data residues unrelated to a single transaction.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The bank-card workflow expands the skill from appointment booking into collecting and storing full payment card details, identity numbers, phone numbers, and agreement metadata. This is especially dangerous because the manifest describes a health-check booking assistant, so the financial-data handling is both under-disclosed and materially raises the risk of fraud, privacy breach, and regulatory noncompliance.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: When location matching fails, the documented logic silently falls back to an unrelated default area code in Xinjiang instead of stopping for user confirmation. This can misroute users to the wrong hospitals and contaminate downstream booking decisions, which is particularly risky in a healthcare workflow where location and availability accuracy matter.

Intent-Code Divergence

Medium

Confidence: 80% confidence
Finding: The bank-card example uses a malformed callback path (`/hirdPlat/`) that conflicts with the documented notify endpoint. In payment flows, inconsistent callback URLs can break status reconciliation or redirect transaction notifications incorrectly, causing payment ambiguity and operational failures.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill tells the agent to store national ID numbers, phone numbers, and later bank data in hidden desktop files without clear, informed user warning about local persistence risk. The danger is heightened because users interacting with a booking assistant are unlikely to expect covert filesystem storage of sensitive identity records.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill advertises use of real APIs for login and payment but does not clearly disclose that sensitive identity, health-booking, and payment-related data will be transmitted to external services. Lack of transmission transparency undermines informed consent and increases privacy and compliance risk.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The tool sends payment credentials to an external payment endpoint and logs full request/response details, including sensitive payload data, headers, and server responses. In a health-assistant context, these logs can expose payment credentials, session identifiers, and potentially user-linked transaction metadata to operators, log aggregators, or anyone with log access.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The bank-card confirmation helper logs the SMS verification code in plaintext. SMS OTPs are highly sensitive authentication factors for completing a payment, so exposing them in logs can enable unauthorized payment completion or post-incident compromise by anyone who can read logs.

Ssd 3

High

Confidence: 99% confidence
Finding: The instructions explicitly direct the agent to create hidden local folders and persist sensitive user data there. This is dangerous because local hidden files are not a secure secret store, may be accessible by other software or users on the machine, and create persistent sensitive artifacts beyond the immediate booking need.

Ssd 3

High

Confidence: 99% confidence
Finding: Appending patient identity data to a hidden markdown file creates an unstructured, plaintext repository of sensitive PII on the endpoint. In a health-related context, this materially increases the chance of privacy compromise through local malware, shared-user access, backups, or accidental disclosure.

Ssd 3

High

Confidence: 99% confidence
Finding: The unauthenticated branch again collects and stores identity data before or alongside login, compounding exposure by persisting sensitive information even when the authentication flow may not complete. This broadens the attack surface and leaves unnecessary residual data for abandoned or failed sessions.

Ssd 3

Critical

Confidence: 100% confidence
Finding: This section directs the agent to read and store full bank-card details, identity document numbers, and bank-linked phone numbers in hidden local files. That creates a severe financial-data exposure risk, potentially enabling fraud or account abuse, and is especially dangerous because plaintext local storage of full card data is far outside safe design for a booking assistant.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal