Security audit

Likes Training Planner

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its training-planner purpose, but it can write or overwrite plans for multiple accounts and uses a risky remote installer and plaintext API-key storage.

Install only if you trust the publisher and need coach-level My Likes automation. Prefer manual installation over curl-to-bash, use the least-privileged API key available, review plan JSON before pushing, avoid bulk or overwrite unless you are authorized and have backups, and treat exported activity/GPS data and the local API-key file as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 80% confidence
Finding: The skill advertises shell and environment-variable driven behavior but does not declare permissions or clearly constrain those capabilities. In practice this weakens user consent and review because the skill can access API keys and invoke shell commands without an explicit permission boundary, which is especially risky given the install and script-driven workflow.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented behavior materially differs from what is visible: it claims end-to-end analysis and planning, but also includes remote installation and bot-routing behavior that is not part of the stated purpose. Description/behavior mismatch is dangerous because it can hide unexpected code paths and social-engineer users into granting trust, credentials, or execution they would not otherwise allow.

Context-Inappropriate Capability

Medium

Confidence: 78% confidence
Finding: The documented ability to add coach feedback comments is unrelated to the advertised core function of generating and syncing training plans, which suggests unnecessary write capability. Excess write scope increases the blast radius if the skill is misused, compromised, or invoked with ambiguous user intent.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The README claims a preview-confirm-push workflow but also documents a direct push command, creating a misleading safety guarantee. Users may assume pushes are always gated by confirmation when in fact the skill appears to support bypassing that safeguard, increasing the chance of unintended writes to a calendar.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The changelog states there is a forced confirmation flow, but the README also documents standalone pushing without that step. This inconsistency can mislead users and downstream agents into trusting a safeguard that is not actually enforced.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The README claims users must preview and confirm before pushing plans, but it also documents a direct push command that bypasses that safeguard. In a skill that writes training plans to a calendar/account, contradictory guidance can cause unintended modifications, duplicate plans, or overwrites without adequate review.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The installation instructions tell users to download a remote script and pipe it directly into bash, granting immediate code execution from an external server with no verification. This is a classic supply-chain and remote-code-execution risk: if the server, account, or network path is compromised, arbitrary commands can run on the user's machine with the user's privileges.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The documentation instructs users to install the skill by piping a remotely fetched script directly into bash. This creates a supply-chain execution path where any compromise of the GitHub repo, branch, account, or network trust boundary can immediately lead to arbitrary code execution on the user's machine, which is not necessary for a training-planner skill.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script adds coach comments to trainee feedback via a live API endpoint, which expands the skill from training-plan generation into user-content modification. That capability is not reflected in the stated training-plan scope, so it creates a scope mismatch that can surprise operators, increase privilege exposure, and enable unauthorized or unintended actions if the skill is installed with broad API access.

Context-Inappropriate Capability

Medium

Confidence: 82% confidence
Finding: The script is capable of bulk-pushing plans to multiple users or training-camp members, which significantly expands the blast radius of a mistaken or unauthorized invocation. In the context of an agent skill, this is more sensitive than a personal-calendar helper because a compromised API key or misconfigured automation could modify many users' training plans at once.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This script performs a state-changing action against the platform by posting coach comments to trainee feedback, but that capability is not reflected in the skill's stated training-plan-focused purpose. Hidden or under-declared write operations are dangerous because an agent or user may invoke them without understanding that they can modify another user's records, enabling unauthorized or unintended actions if the skill is granted credentials.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script reads API credentials from local config files and environment variables, then uses them for an action unrelated to the clearly described planner functionality. In the context of an agent skill, this is risky because bundled code can silently repurpose stored credentials for side-effecting operations that users did not expect, increasing the chance of credential misuse and unauthorized writes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README recommends a one-line installation method that downloads a remote script and executes it immediately with bash. This creates a supply-chain execution risk: if the remote endpoint, repository, maintainer account, or network path is compromised, arbitrary code will run on the user's machine without inspection.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Piping a remotely fetched script directly into bash executes unreviewed code immediately with the user's privileges, making supply-chain compromise or repository takeover highly dangerous. Because this is presented as the recommended installation path, it normalizes unsafe execution and increases the likelihood of exploitation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The README recommends one-line installation via a remote shell script piped directly into bash, which executes code fetched at runtime without giving the user a chance to inspect it. If the hosting account, release pipeline, or network path is compromised, this can lead to arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 73% confidence
Finding: The README encourages fetching training history and detailed activity data including GPS without warning that this data is sensitive personal information. In the context of a fitness skill, location traces, schedule patterns, and health-related activity history can expose highly sensitive behavioral and physical-world information if stored, shared, or mishandled.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill supports pushing plans to calendars for the current user and for other users in a training camp, but the documentation does not prominently warn that this modifies account data and can affect multiple people. In a skill that performs write operations, insufficient disclosure raises the chance of accidental or unauthorized changes, especially when bulk operations are supported.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The skill asks for a Likes API key and uses it to access account data and perform actions, but the documentation does not adequately explain credential sensitivity, storage, transmission, or least-privilege handling. This is dangerous because users may expose a powerful token to local scripts and external services without understanding how it can be abused if leaked or mishandled.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents bulk plan pushes to other users and camp members but does not prominently warn that this performs actions affecting other accounts. In a coaching context this may be legitimate, but without explicit consent, preview, and impact warnings it increases the risk of unauthorized or accidental mass changes to users' training calendars.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This reference file contains multiple high-intensity, sport-specific, and progression-based workouts, including intervals, marathon plans, VO2 max work, and strength circuits, without any visible safety disclaimer or adaptation guidance. In the context of an all-in-one training-planner skill that may generate personalized plans and push them to a calendar, users could follow unsuitable workouts despite injury history, medical conditions, or inadequate fitness, increasing risk of overtraining or acute injury.

Missing User Warnings

Low

Confidence: 75% confidence
Finding: The script silently writes bot context into a file under the user's home directory without checking permissions, obtaining consent, or disclosing that local state is being persisted. While the stored data is limited, undisclosed persistence can leak workspace usage metadata to other local processes or users and can create confusing cross-session behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script prompts for an API key and persists it to a plaintext JSON file under the user's home directory without clearly warning the user that credentials will be stored locally. If the workstation is shared, backed up insecurely, or compromised by another local process, the API key could be recovered and used to access the user's Likes account or training data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The --overwrite option enables destructive replacement of existing plans without any interactive confirmation, secondary flag, or detailed warning. In this skill's context, that can cause irreversible or hard-to-recover loss of training schedules for one or many users, especially when combined with bulk-push support.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script accepts an API key from argv or environment variables and persists it to a JSON file in the user's home directory without setting restrictive file permissions or warning the user that a long-lived credential will be stored on disk. If the home directory is shared, backed up insecurely, or readable by other local users/processes, the credential could be exposed and used to access the Likes account or related training data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This file contains numerous high-intensity, endurance, and sport-specific workouts, including VO2 max intervals, HIIT, marathon plans, and threshold sessions, but provides no safety disclaimer, progression guidance, contraindications, or advice to adapt for fitness level or medical conditions. In a skill that generates personalized plans and pushes them to a calendar, this omission increases the chance that users treat examples as ready-to-use prescriptions, which can contribute to overtraining, injury, or adverse events.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal