eatsth-by

Security checks across malware telemetry and agentic risk

Overview

This skill saves diet-related health notes and food inventory locally so it can make meal recommendations, and I found no hidden code, network access, or unrelated authority.

Install only if you are comfortable with sensitive health notes and food inventory being stored in local plaintext markdown files. Review or delete those files when you no longer want the information retained, and avoid storing medical details you would not want other local tools or users to access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to create, update, and delete local files containing sensitive health data and food records, but does not require explicit user consent, visibility, or confirmation before modifying persistent storage. Because the stored data includes health conditions, symptoms, dietary restrictions, and habits, silent persistence can expose highly sensitive personal information and create privacy, integrity, and retention risks if accessed, reused, or modified unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal