Diet

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local diet tracker that stores meal and water logs on the user’s computer.

Install only if you are comfortable storing nutrition and water-intake history locally in ~/.diet. Treat that folder as private, include it in your backup/privacy decisions, and delete it if you no longer want the logs retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises shell commands that read environment context and write persistent data under ~/.diet/, but it declares no permissions. This creates a transparency and consent problem: an agent or reviewer may assume the skill is read-only or lower-risk when it can access local state and modify files, increasing the chance of unintended data exposure or filesystem changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal