Skills
skills/aaaaqwq/claude-code-skills/healthcare-monitor/Gen Agent Trust Hub

healthcare-monitor

Pass

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data analysis pipeline. The script scripts/analyzer.py contains a function analyze_with_llm that interpolates raw scraped web content (corporate changes and profiles) directly into an LLM prompt without sanitization or boundary markers.
  • Ingestion points: Untrusted data enters the system from external websites via scripts/scraper.py, scripts/scraper_free.py, and scripts/funding_detector.py.
  • Boundary markers: The LLM prompt in analyzer.py does not use delimiters (like XML tags or triple quotes) or explicit 'ignore embedded instructions' warnings to isolate the untrusted data from the task instructions.
  • Capability inventory: The agent has access to Exec (via subprocess.run), Browser (via Playwright), and Network capabilities.
  • Sanitization: No escaping or validation is performed on the scraped content before it is processed by the LLM.
  • [COMMAND_EXECUTION]: Several scripts (funding_detector.py, funding_detector_v2.py, notifier.py, quick_monitor.py) utilize subprocess.run to execute external binaries and local scripts.
  • The system calls pass show api/firecrawl to retrieve secrets from the local password manager.
  • The system calls telegram-push.sh to handle notifications.
  • The system calls openclaw web search to gather enterprise news.
  • [EXTERNAL_DOWNLOADS]: The skill performs extensive network operations to fetch data from various domains, including firecrawl.dev, 36kr.com, vcbeat.top, pedaily.cn, qcc.com, and sina.com.cn. It also utilizes Playwright to automate browser sessions for data collection, which involves downloading web content dynamically.
  • [CREDENTIALS_UNSAFE]: The skill hardcodes a default Telegram chat ID (8518085684) in scripts/notifier.py and SKILL.md. While not a secret token itself, it serves as a hardcoded destination for notifications. If a user does not manually override this in config/settings.json, monitoring reports containing enterprise data will be sent to the author's specified ID by default.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 9, 2026, 10:15 PM