Back to skill

Security audit

Allergy

Security checks across malware telemetry and agentic risk

Overview

This allergy-tracking skill stores sensitive health notes locally, but that behavior is disclosed, user-invoked, and aligned with its purpose.

Install only if you are comfortable keeping allergy and symptom notes in plaintext under ~/.local/share/allergy. Use it on a trusted account and device, avoid entering unrelated secrets, periodically review or delete the data directory, and treat any exported files as sensitive health records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill handles sensitive health-related information and explicitly states that history and activity logging are automatic, but it does not prominently warn users that such data will be stored locally by default. That omission can cause users to disclose medical information without informed consent, increasing privacy risk on shared or unmanaged devices.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persistently stores allergy and symptom-related input under the user's home directory without any upfront privacy notice, consent mechanism, retention policy, or file-permission hardening. Because this skill handles health information, silent local retention increases the chance of unintended disclosure to other local users, backups, support bundles, or malware that harvests user data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export feature creates consolidated copies of sensitive health records in JSON, CSV, or TXT formats without warning the user that the output is easily shareable and may be less protected than the source logs. In a health-tracking context, exporting amplifies exposure risk because these files may be emailed, synced, indexed, or left in locations accessible to other software or users.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.