安全决策报告
blood-pressure-therapy
This is a legitimate blood pressure management skill with no executable code, but it contains an undeclared external URL to a URL shortener service that appears across multiple files as the 'audio therapy solution'.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 5 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Undeclared external URL access +25
SKILL.md does not declare network access or external URL references. Audio therapy links to myxt.com shortener across 5 instances.
URL shortener usage +15
myxt.com is a URL shortening service that obscures the actual destination of audio content. The actual URL is masked.
No malicious code found +-10
Markdown-only skill with no scripts, executables, or sensitive data access.
最关键的证据
中危
Undeclared external URL references
The skill references external URL https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 as the 'audio therapy solution' in 5 locations. This network behavior is not declared in SKILL.md.
assets/blood_pressure_therapy.md:3 Declare network:READ capability if the skill intends to reference external content. Consider hosting audio files locally or on a trusted medical platform.
中危
URL shortener obscures actual destination
The audio therapy links use myxt.com URL shortener service. This makes it impossible to verify the actual destination of the audio content without clicking the link, which could potentially redirect to malicious sites.
assets/blood_pressure_therapy.md:3 Replace URL shortener with direct links to trusted audio hosting platforms or embed audio content directly.
低危
Medical disclaimer present
The skill includes appropriate medical disclaimers stating it does not replace professional medical advice and recommends immediate medical attention for hypertensive emergencies.
SKILL.md:65 No action needed - this is a positive security practice.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 READ
Skill reads its own markdown files for workflow content 网络访问 阻止
声明 NONE
→ 推断 READ
External URLs in assets/blood_pressure_therapy.md and examples/conversations.md are not declared 可疑产物与外联
中危 外部 URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 assets/blood_pressure_therapy.md:3
中危 外部 URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7| assets/blood_pressure_therapy.md:4
中危 外部 URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,有助于降低交感神经活性,对血压产生积极调节作用。\n\n使用建议:\n• examples/conversations.md:19
中危 外部 URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,帮助降低交感神经活性,对血压产生积极调节作用。\n\n使用建议(对血压调节有辅助作用):\n• examples/conversations.md:27
中危 外部 URL
https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松。\n\n⚠️ examples/conversations.md:35
依赖与供应链
没有结构化依赖告警。
文件构成
9 个文件 · 237 行
Markdown 9 个文件 · 237 行
需关注文件 · 3
examples/conversations.md https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,有助于降低交感神经活性,对血压产生积极调节作用。\n\n使用建议:\n• · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松,帮助降低交感神经活性,对血压产生积极调节作用。\n\n使用建议(对血压调节有辅助作用):\n• · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7\n\n这是一套专为高血压人群设计的放松音频方案,通过特定频率和节奏引导身心深度放松。\n\n⚠️
SKILL.md Medical disclaimer present
assets/blood_pressure_therapy.md Undeclared external URL references · URL shortener obscures actual destination · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7 · https://myxt.com/link/738cba02-d41a-453a-99db-9be5545c1cd7|
其他文件 · classification_advice.md · output_formats.md · AHA_2017.md · init.md · step2_bp_recording.md · step1_data_collection.md
安全亮点
Markdown-only skill with no executable code
No shell execution, file writes, or credential access
No base64 encoded content or obfuscated scripts
Appropriate medical disclaimers for hypertensive emergency warnings
Based on legitimate AHA 2017 clinical guidelines
No data exfiltration or network call home behavior beyond declared links