Back to skill

Security audit

Medical Ip Director Free

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only medical/aesthetic marketing skill, but it needs review because it encourages sensitive photo and health-related lead collection while overstating compliance and privacy safeguards.

Install only if you intentionally want a Chinese-language drafting aid for medical/aesthetic marketing. Do not submit identifiable patient data, facial photos, or health details without a separate privacy and consent process, remove unwanted promotional contact text, and have qualified medical/legal reviewers check all claims before publication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file’s compliance section asserts there is no appearance-anxiety messaging, but the script frames a facial condition as a defect needing expert correction and asks users to submit front/side facial photos for assessment. This can mislead operators into treating the content as compliant when it contains cosmetic-pressure and lead-generation elements, increasing legal, privacy, and consumer-protection risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages users to submit doctor interview transcripts for analysis, but provides no warning about personal data, patient information, consent requirements, retention, or transmission risks. In a medical context, transcripts can easily contain sensitive health, employee, or patient-identifiable information, so omission of privacy handling guidance creates a real risk of inappropriate disclosure or non-compliant processing.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger keyword list includes many broad, generic Chinese phrases such as '内容生成', '机构运营', and '短视频脚本' that are not narrowly scoped to this skill’s specific medical-IP purpose. This can cause unintended activation in unrelated contexts, leading the agent to produce regulated medical-marketing content when the user did not explicitly request this specialized behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.