Back to skill

Security audit

Sleepwell

Security checks across malware telemetry and agentic risk

Overview

This needs review because it is marketed as a sleep tracker but mostly acts as a broad local productivity logger with persistent, searchable, exportable notes.

Install only if you are comfortable treating this as a local productivity logger, not just a sleep tracker. Avoid entering secrets, credentials, sensitive work details, or private health notes; review stored data under ~/.local/share/sleepwell and ~/.sleep if you use it. The publisher should align the name and description with the actual functionality, document both storage paths, add deletion/privacy controls, and fix the Python argument handling in sleep_diary.sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents persistent local file writes and exports but does not declare permissions, which undermines user consent and platform transparency. In a skill presented as a sleep/wellness tool, undeclared storage behavior is risky because users may share sensitive personal or health-adjacent notes without realizing they are being written to disk and later exportable.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The manifest markets the skill as a sleep tracker, but the documented functionality is a broad productivity and note-management system with arbitrary logging, search, reporting, and export. This mismatch is dangerous because it can induce users or calling agents to trust and invoke the skill in a narrow health context while it actually collects and persists much broader personal and work data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The top-level metadata and title frame the skill as sleep-related, while the body describes a general-purpose productivity/task manager. This is a trust and safety issue because users, orchestration systems, and reviewers may grant access or provide sensitive inputs based on the sleep/wellness framing, not on the actual broader data-handling behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documented commands include reminder, prioritization, archive, tagging, reports, export, search, and general history features that are not justified by a sleep-habit tracker. Excess capabilities increase data collection surface and create opportunities to store unrelated sensitive information under misleading health-tool branding.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Examples and usage text repeatedly show work tasks, sprint planning, deploy searches, reports, and retrospectives rather than sleep-related actions. This reinforces deceptive framing and encourages users to enter broader personal or corporate data into a tool they may reasonably believe is for simple sleep tracking.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script presents itself as a sleep-tracking skill but actually exposes a broad generic note-taking/productivity surface with commands like add, archive, tag, report, and prioritize. This mismatch is dangerous because users or higher-level agents may trust it with sleep-related data while it silently functions as a general-purpose persistent logger, increasing the chance of oversharing, misuse, and policy bypass through capability misrepresentation.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The inline documentation explicitly describes the tool as a 'productivity toolkit,' contradicting the advertised sleep-habit tracking identity. This inconsistency is a security-relevant trust issue because deceptive or inaccurate labeling can cause users and orchestrating systems to grant access or provide data under false assumptions about the tool's scope.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation states that all entries are persistently logged and exportable, but it does not warn users that free-form entries may contain sensitive personal, health, or work information. Lack of disclosure increases the chance of inadvertent local retention and secondary exposure through export files, backups, shared machines, or support bundles.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
Presenting a generic note/productivity logger as a sleep or health tool is misleading and can cause misplaced user trust. While the issue is primarily framing rather than direct exploit code, health-related branding lowers user skepticism and makes broad data capture more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes raw user input into persistent files under ~/.local/share/sleepwell without clear upfront disclosure or consent. In the context of a sleep-related skill, users may enter sensitive health, schedule, or routine information, so silent retention increases privacy risk and can expose personal data to other local users, backups, or later exports.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists sleep logs under ~/.sleep/sleep.json and related files without any notice, consent prompt, retention policy, or permission hardening, even though sleep habits can be sensitive health-related data. In a personal wellness skill, this context increases concern because users may reasonably assume ephemeral tracking while the skill silently creates long-lived local records that could be exposed to other local users, backups, or synced home directories.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.