Lp3
Medium
- Category
- MCP Least Privilege
- Confidence
- 70% confidence
- Finding
- Without declared permissions the skill's intent is opaque and cannot be validated.
Security audit
Security checks across malware telemetry and agentic risk
This is a local fitness tracker, but its script can turn crafted workout inputs into unintended local Python execution.
Review before installing. The skill has a coherent local-only fitness purpose and no network or credential behavior, but do not pass untrusted or unusual text into its commands until the script is fixed to pass values safely to Python through arguments, environment variables, or JSON serialization. Also be aware that workout and weight data remain stored locally in $HOME/.fitness.
66/66 vendors flagged this skill as clean.
No suspicious patterns detected.