Skill Trust Decision
blood-pressure-therapy
This is a legitimate blood pressure management skill with no executable code, but it contains an undeclared external URL to a URL shortener service that appears across multiple files as the 'audio therapy solution'.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
5 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Undeclared external URL access +25
SKILL.md does not declare network access or external URL references. Audio therapy links to myxt.com shortener across 5 instances.
URL shortener usage +15
myxt.com is a URL shortening service that obscures the actual destination of audio content. The actual URL is masked.
No malicious code found +-10
Markdown-only skill with no scripts, executables, or sensitive data access.
Most important evidence
Medium
Undeclared external URL references
The skill references external URL https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 as the 'audio therapy solution' in 5 locations. This network behavior is not declared in SKILL.md.
assets/blood_pressure_therapy.md:3 Declare network:READ capability if the skill intends to reference external content. Consider hosting audio files locally or on a trusted medical platform.
Medium
URL shortener obscures actual destination
The audio therapy links use myxt.com URL shortener service. This makes it impossible to verify the actual destination of the audio content without clicking the link, which could potentially redirect to malicious sites.
assets/blood_pressure_therapy.md:3 Replace URL shortener with direct links to trusted audio hosting platforms or embed audio content directly.
Low
Medical disclaimer present
The skill includes appropriate medical disclaimers stating it does not replace professional medical advice and recommends immediate medical attention for hypertensive emergencies.
SKILL.md:65 No action needed - this is a positive security practice.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred READ
Skill reads its own markdown files for workflow content Network Block
Declared NONE
→ Inferred READ
External URLs in assets/blood_pressure_therapy.md and examples/conversations.md are not declared Suspicious artifacts and egress
Medium External URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 assets/blood_pressure_therapy.md:3
Medium External URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7| assets/blood_pressure_therapy.md:4
Medium External URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,有助于降低交感神经活性,对血压产生积极调节作用。\n\n使用建议:\n• examples/conversations.md:19
Medium External URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,帮助降低交感神经活性,对血压产生积极调节作用。\n\n使用建议(对血压调节有辅助作用):\n• examples/conversations.md:27
Medium External URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松。\n\n⚠️ examples/conversations.md:35
Dependencies and supply chain
There are no structured dependency warnings.
File composition
9 files · 237 lines
Markdown 9 files · 237 lines
Files of concern · 3
examples/conversations.md https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,有助于降低交感神经活性,对血压产生积极调节作用。\n\n使用建议:\n• · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,帮助降低交感神经活性,对血压产生积极调节作用。\n\n使用建议(对血压调节有辅助作用):\n• · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松。\n\n⚠️
SKILL.md Medical disclaimer present
assets/blood_pressure_therapy.md Undeclared external URL references · URL shortener obscures actual destination · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7|
Other files · classification_advice.md · output_formats.md · AHA_2017.md · init.md · step2_bp_recording.md · step1_data_collection.md
Security positives
Markdown-only skill with no executable code
No shell execution, file writes, or credential access
No base64 encoded content or obfuscated scripts
Appropriate medical disclaimers for hypertensive emergency warnings
Based on legitimate AHA 2017 clinical guidelines
No data exfiltration or network call home behavior beyond declared links