clinical-decision-support
Fail
Audited by Snyk on May 29, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.85). The skill contains explicit, mandatory integration with an external AI image-generation/review service that encodes and uploads document content (including images) to a third‑party API, creating a high risk of unintended data exfiltration (including PHI) and use of base64-encoded payloads for external execution/review; no hidden remote shells or obfuscated execs were found, but the external upload flow and mandatory figure generation make this a high-risk data‑exfiltration pattern.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts (e.g., scripts/generate_schematic_ai.py and scripts/generate_schematic.py) make live API calls to https://openrouter.ai/api/v1 (OpenRouter/Nano Banana models) and use the model's responses to review, modify, and control subsequent prompt generation and image-generation behavior, so an external URL is contacted at runtime and its returned content directly controls agent prompts/instructions.
MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
- Hidden Unicode characters detected (1 type(s) found)
Issues (3)
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W021
MEDIUMHidden or invisible Unicode characters detected (potential obfuscation or prompt injection).
Audit Metadata