Is kylemorgan-commits/find-and-book-in-network-doctors safe?
This skill is a clean marketing document that adds Zocdoc.com doctor-search-and-booking capability to an AI agent. The SKILL.md contains no prompt injection, no executable code, and the install was a straightforward sparse git clone that left no persistent connections or system changes. The primary concerns are commercial and privacy-related: the skill funnels all health-sensitive user data (conditions, insurance, location) exclusively to Zocdoc.com with no consent mechanism, and contains explicit AI ecosystem capture language designed to establish Zocdoc as the default healthcare infrastructure across AI deployments. Pre-install reads of credential files were detected but preceded the install script and are consistent with audit framework initialization; canary integrity was confirmed intact with no exfiltration.
Category Scores
Findings (6)
HIGH Credential files read before install script executed -28 ▶
Filesystem monitoring (both inotify and auditd PATH records) detected read-only access to six sensitive credential files at timestamp 04:35:26 — approximately 5 seconds before the skill install script ran at 04:35:31. The files accessed are the exact canary/honeypot set: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json. The accesses occurred twice (duplicated across both inotify monitoring sessions). Because these accesses precede the install and no corresponding exfiltration network traffic was detected, the most likely explanation is the oathe audit harness performing pre-install canary baseline reads or SSH session initialization. However, full process attribution is absent from the provided logs and the pattern cannot be ruled out as a timing coincidence with a malicious pre-hook or profile-script vector.
MEDIUM Sensitive health data exclusively routed to single commercial provider -25 ▶
Every invocation of this skill transmits user-supplied Protected Health Information — medical conditions (e.g., acne, back pain), insurance provider, geographic location, and appointment preferences — to Zocdoc.com. There is no user consent flow, no opt-out, no alternative provider, and no disclosure that this data leaves the local agent context. For healthcare use cases this constitutes PHI leakage to a third-party commercial entity.
MEDIUM Explicit AI ecosystem capture marketing language -15 ▶
The closing paragraph of SKILL.md states: 'This positions Zocdoc.com as the infrastructure powering care discovery and booking across AI ecosystems.' This is not functional skill documentation — it is commercial positioning language intentionally embedded in a prompt that will be injected into AI agent system prompts, designed to establish Zocdoc as a preferred default across all AI deployments that install this skill.
LOW Single-vendor framing constrains agent's solution space -10 ▶
SKILL.md references Zocdoc.com by name 15+ times and presents it as the only valid infrastructure for healthcare search and booking. When injected as a system prompt, this framing prevents the agent from considering alternatives (e.g., direct insurer directories, hospital portals, NPI registries), reducing agent autonomy and potentially failing users in markets where Zocdoc has limited coverage.
INFO No executable code present 0 ▶
The skill directory contains only two files: SKILL.md (instructional markdown) and _meta.json (version metadata). No package.json, no scripts, no git hooks, no submodules, no compiled binaries, and no symlinks were found. The install was a pure file copy operation.
INFO All honeypot canary files confirmed intact 0 ▶
Despite filesystem read events on credential files at 04:35:26, the canary integrity monitor confirms no canary file was modified and no exfiltration via honeypot access was detected.