SparkyFitness

Security checks across malware telemetry and agentic risk

Overview

This is a clear CLI helper for a self-hosted fitness tracker, but users should treat its health data and API key as sensitive.

Install only if you trust the external sparky CLI and the SparkyFitness server you configure. Use HTTPS, keep the API key secret, prefer a revocable key if available, avoid shared terminals or logs for credentials, and have the agent confirm exact entries before logging, deleting, or removing health records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill explicitly instructs users to send highly sensitive health, biometric, mood, diet, and exercise data to a self-hosted server, but provides no privacy, retention, access-control, or transport-safety warning. In a health-tracking context, omission of basic data-handling guidance can lead users to disclose regulated or intimate personal information to insecure or improperly administered endpoints.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup flow tells users to configure an API key but gives no warning that the key is a secret or how to protect it. This increases the chance of credential leakage through shell history, screenshots, shared terminals, logs, or accidental publication, which could allow unauthorized access to the user's health records on the SparkyFitness server.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal