Security audit

Health Guardian

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local health-monitoring skill, but it needs review because it handles very sensitive health data while under-disclosing cloud sync, storage, and ongoing scheduled processing risks.

Review before installing. Only use this if you are comfortable letting it read Apple Health exports and retain raw health telemetry locally; verify the exact iCloud/source path, protect or encrypt the data folder, and enable hourly cron or Telegram/caregiver alerts only after confirming who can see alerts and how to stop the workflow.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documents file read/write behavior over highly sensitive health data but declares no permissions or trust boundaries. In an agent environment, undeclared filesystem access increases the chance of overbroad data access, silent collection of nearby files, and unsafe writes to local health records without informed operator consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is health monitoring, but the detected behavior includes direct filesystem ingestion, parsing/export handling, and archival/merge operations that materially expand the data-handling surface. This mismatch can mislead users and agents about what data is touched, creating privacy and integrity risk for sensitive medical information.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The claim that 'nothing leaves your machine' is contradicted by reliance on iCloud-synced exports and optional alert channels such as Telegram. For health data, misleading privacy claims are dangerous because users may enable the skill under false assumptions about where protected or highly sensitive information may flow.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The scheduled payload text, 'Run health import and check for anomalies,' is broad natural language that could be interpreted by an agent beyond the intended script invocation, especially in systems where system events are routed through a general-purpose session. In a health-monitoring context, that ambiguity raises the risk of unintended actions, data access, or noisy/incorrect alerts.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill handles extremely sensitive health information and may send alerts externally, yet the description lacks a prominent warning about privacy, consent, retention, and notification risks. In the context of chronic-condition care, incomplete disclosure can lead operators to deploy it without appropriate safeguards for medical confidentiality and false-alert consequences.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This script automatically reads highly sensitive health data from local Apple Health export locations and persists it into the skill's own data store without any explicit consent prompt, warning, minimization, or access control evident in the code. In the context of a health-monitoring skill for chronic conditions, this creates meaningful privacy risk because detailed biometric and wellness history is centralized in a new file that may be retained, copied, or exposed by other components.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal