clinical-decision-support

Fail

Audited by Snyk on May 29, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.85). The skill contains explicit, mandatory integration with an external AI image-generation/review service that encodes and uploads document content (including images) to a third‑party API, creating a high risk of unintended data exfiltration (including PHI) and use of base64-encoded payloads for external execution/review; no hidden remote shells or obfuscated execs were found, but the external upload flow and mandatory figure generation make this a high-risk data‑exfiltration pattern.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts (e.g., scripts/generate_schematic_ai.py and scripts/generate_schematic.py) make live API calls to https://openrouter.ai/api/v1 (OpenRouter/Nano Banana models) and use the model's responses to review, modify, and control subsequent prompt generation and image-generation behavior, so an external URL is contacted at runtime and its returned content directly controls agent prompts/instructions.

MEDIUM W021: Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

  • Hidden Unicode characters detected (1 type(s) found)

Issues (3)

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W021
MEDIUM

Hidden or invisible Unicode characters detected (potential obfuscation or prompt injection).

Audit Metadata
Risk Level
CRITICAL
Analyzed
May 29, 2026, 12:31 PM
Issues
3
Security Audit — snyk — clinical-decision-support