Slug Test

Security checks across malware telemetry and agentic risk

Overview

This health-data skill is purpose-aligned but needs Review because it exposes sensitive Apple Health data through a public webhook with weak security guidance.

Install only if you trust the npm package and TestFlight app, set a strong ADMIN_TOKEN before exposing anything publicly, prefer private networking over public tunnels where possible, protect pairing links and API tokens, and understand that health records will persist locally for future agent or local-process access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly instructs users to expose a local webhook server containing sensitive health data to the public internet via Tailscale Funnel, Cloudflare Tunnel, or ngrok, but provides no meaningful privacy, authentication, rate-limiting, or hardening guidance for that exposure. Because the data involved is highly sensitive medical/biometric information, internet exposure materially increases the risk of unauthorized access, token abuse, enumeration, or accidental data leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal