clinical-trial-protocol-skill

The skill's functionality and described capabilities are coherent with its stated purpose. There are no code snippets or artifacts in this fragment that indicate direct malicious payloads, obfuscation, or backdoors. However, the required external MCP server (Claude Desktop plugin) is a notable network dependency and a potential data-exfiltration conduit for sensitive user-supplied documents stored in waypoints. The skill stores user-provided materials in plaintext waypoint files and performs automatic MCP connectivity checks, which raises privacy and supply-chain trust concerns. Recommend treating the MCP dependency as a trusted component only after verification, avoid uploading PHI or sensitive proprietary data without review, and inspect all references/*.md subskills before execution to ensure no hidden instructions. Overall: low probability of malware, but moderate security/privacy risk due to external dependency and storage of sensitive inputs.