sparky

Security checks across malware telemetry and agentic risk

Overview

This is a coherent SparkyFitness CLI helper, with expected but privacy-sensitive health-data logging and external lookup behavior.

Install only if you trust the sparky CLI source and the SparkyFitness server you configure. Protect the API key, assume logged food, exercise, weight, steps, and mood data will be written to that server, and avoid sensitive food or exercise searches if external lookup fallback is a privacy concern.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation tells users to configure a server URL and API key and explicitly states that food and exercise searches may fall back to online providers, but it does not warn that health-related and potentially sensitive data may be transmitted to a self-hosted server and third-party services. Because the skill handles diet, exercise, weight, steps, and mood data, the missing disclosure can mislead users about privacy exposure and cause unintended sharing of sensitive personal information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal