Health Assistant

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Garmin health-coach purpose, but it needs Review because it handles sensitive health/account data with incomplete privacy, install, and cleanup disclosures.

Install only if you are comfortable connecting Garmin and Google/NotebookLM, sending health-derived prompts to that AI tool, and keeping local health history/logs. Prefer manual, reviewed dependency installation; delete ~/.openclaw/data/health-assistant and related logs when resetting; and use a more specific trigger than "report" before regular use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (20)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 使用 sys.executable 确保在同一个 python 环境下安装 print("Installing dependencies...") subprocess.check_call([sys.executable, "-m", "pip", "install", "notebooklm-py[browser]"]) print("Downloading browser core...") subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])
Confidence: 91% confidence
Finding: subprocess.check_call([sys.executable, "-m", "pip", "install", "notebooklm-py[browser]"])

subprocess module call

Medium

Category: Dangerous Code Execution
Content: subprocess.check_call([sys.executable, "-m", "pip", "install", "notebooklm-py[browser]"]) print("Downloading browser core...") subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"]) return True, "Installation successful" except Exception as e:
Confidence: 90% confidence
Finding: subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill advertises capabilities that imply file access and shell execution, but declares no permissions at all. This undermines informed consent and platform policy enforcement, especially for a health-oriented skill that may process sensitive biometric and account data while also invoking local commands and writing local state.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose frames the skill as a simple health analysis assistant, but the described behavior expands into software installation, browser automation, third-party authentication, local retention of sensitive health/account data, and interactive setup state management. That mismatch is dangerous because users and reviewers may approve the skill without realizing its broader access, persistence, and external data-sharing footprint.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The PRD states that all health data remains local and is not uploaded to the cloud, but the architecture explicitly sends health-related data to external services such as NotebookLM and wearable vendor APIs. This creates a misleading privacy guarantee that can cause users to disclose sensitive biometric data under false assumptions and may introduce consent, compliance, and trust issues.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The document claims no personal identity information is stored, yet the onboarding flow explicitly asks for a Garmin account email, which is personal identifying information. This contradiction is dangerous because it undermines informed consent and may lead to improper handling of credentials and identity-linked health data.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The PRD promises encrypted local credential storage, but the provided configuration and storage examples do not show any concrete encrypted credential design, key management, or secret isolation. In practice, teams often implement what is documented in examples, so this gap can result in plaintext or weakly protected API credentials on disk.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The installer adds browser automation support via Playwright and downloads Chromium even though the stated skill purpose is Garmin and health-data analysis. That expands the attack surface, introduces a powerful web automation capability that could be abused for credential capture or unintended browsing behavior, and is only weakly justified by the vague note about 'AI login'. In this context, handling health data makes unnecessary browser automation more sensitive because it may interact with authenticated services and expose private data.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill installs notebook tooling and browser automation dependencies that are not clearly aligned with its advertised Garmin/health-coaching purpose. This mismatch increases suspicion because it introduces powerful capabilities and external code execution paths that could be abused or could surprise users with unannounced environment changes.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Checking for a NotebookLM session file in the user’s home directory probes the host for state unrelated to the skill’s stated health-assistant purpose. Even though it only tests for file existence, it reveals information about installed tools and login status, which is a privacy concern and a sign of unnecessary host inspection.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The skill sends highly sensitive health data to an external local CLI process, expanding the trust boundary beyond what users may expect from a report generator. Even without command injection, a substituted, compromised, or overly privileged `notebooklm` binary could exfiltrate biometric data or execute unintended behavior on the host.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The setup flow can trigger automatic installation of external tooling (`EnvChecker.run_install()`) during normal conversation, which is a system-modifying action outside the user’s core expectation for a Garmin health assistant. Even though the user is prompted with a yes/no question, the code does not clearly disclose what will be installed, what commands will run, or what security implications exist, making this a risky software-installation pathway.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a Garmin/biometric health coach, but the first-run flow prioritizes preparing a separate NotebookLM AI engine. This mismatch between advertised purpose and actual setup behavior is a trust and transparency problem that can socially engineer users into approving unrelated software setup they did not expect.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The documented trigger phrase is a single common word, "report", with no namespace, prefix, or confirmation step. In chat-based automation contexts this can cause accidental invocation from ordinary conversation or other bot interactions, which may expose sensitive health summaries or trigger unintended data processing.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill handles highly sensitive health and account data, yet the user-facing description does not warn about collection, local storage, or sensitivity of that information. In a health context, lack of disclosure is especially risky because users may reveal medical conditions, wellness goals, and account credentials without understanding privacy implications.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The file mentions external services including NotebookLM/Google authentication and message-delivery plugins for Telegram, Discord, WeChat, and Feishu, but does not warn that user data may be transmitted to third parties. That omission is dangerous because health summaries and biometric insights may leave the local environment and be exposed to external providers with different security and privacy controls.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code makes system changes by installing packages and downloading a browser without any explicit confirmation, warning, or preflight disclosure. Silent modification of the runtime environment is dangerous because users may not understand that external code will execute and substantial files will be added to their system.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The code offers to 'install them automatically' without a clear user-facing warning that accepting will execute install actions on the host system. In an agent context, ambiguous installation prompts are dangerous because users may interpret them as benign app setup rather than approval for code execution or package installation.

Unpinned Dependencies

Low

Category: Supply Chain
Content: garth>=0.1.0 notebooklm-py>=0.3.0
Confidence: 95% confidence
Finding: garth>=0.1.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: garth>=0.1.0 notebooklm-py>=0.3.0
Confidence: 97% confidence
Finding: notebooklm-py>=0.3.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal