Dexcom CGM

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it fetches Dexcom glucose readings, but users should treat the Dexcom password and glucose output as sensitive health data.

Install only in an environment where you are comfortable storing Dexcom credentials and exposing current glucose readings to the agent, logs, or chat history. Prefer a secure secret store or tightly permissioned local config, avoid committing credentials, and rotate the Dexcom password if you think it was exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill instructs users to place Dexcom account credentials in environment variables or a local config file without any guidance on secure storage, file permissions, credential rotation, or the sensitivity of medical account data. While this is common operationally, inadequate handling advice increases the risk of credential leakage through shell history, process inspection, backups, dotfile syncing, or overly permissive local config files.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal