Healthkit Code Review

Security checks across malware telemetry and agentic risk

Overview

This appears to be a HealthKit development guidance skill with a privacy guidance gap, not a skill that directly accesses or sends health data.

Before installing, treat this as a development aid rather than legal or privacy approval. If you use its HealthKit sync guidance, make sure your app obtains clear user consent, minimizes health data transfer, uses secure transport, defines retention/deletion behavior, and follows Apple HealthKit rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The guidance normalizes syncing HealthKit samples and deletions to a server without any accompanying privacy, consent, retention, or data-transfer warning. In the context of a code review skill for HealthKit, this can mislead downstream users into treating transmission of sensitive health data as routine implementation detail, increasing the risk of privacy violations or policy-noncompliant designs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal