Back to skill

Security audit

Health Ecosystem

Security checks across malware telemetry and agentic risk

Overview

This health-tracking skill is coherent, but it deserves Review because it stores, analyzes, schedules, and may sync highly sensitive health data with incomplete privacy and control details.

Install only if you are comfortable with automated collection, AI analysis, persistent local storage, and possible private-repository syncing of personal health records. Before initializing, review the dependent Huawei Health and Obsidian Git skills, confirm the repository is private, understand where AI processing happens, and check how to disable or delete the scheduled cron tasks and stored health logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes health data collection from wearable devices and timed automation, but it does not warn users about the sensitivity of health data, consent requirements, storage/retention, or what automated tasks will do on their systems. In a health-management skill, this omission is more serious because users may expose highly sensitive personal information or enable recurring actions without understanding privacy and operational consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states that initialization will automatically create directories, configure scheduled tasks, and generate templates, and later documents filesystem/script locations. Those are system-changing operations that can alter a user's environment or persistence model, but the skill does not present a clear upfront consent/confirmation step or warn about the scope of changes before execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill processes highly sensitive health data and says it will sync that data to a private Git repository, but the privacy section understates the real risk of accidental exposure, misconfigured remotes, shared devices, leaked credentials, or future repository visibility changes. Health metrics such as heart rate, sleep, stress, blood oxygen, and women's health data are especially sensitive, so inadequate warning and safeguards materially increase confidentiality risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.