ClawHub

FitnessRec FitAPI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward FitnessRec API skill for nutrition and exercise lookup, with expected network/API-key use but some privacy and trigger-scope caveats.

Install only if you are comfortable giving the skill a FitnessRec FitAPI key and sending food, exercise, barcode, recipe, and optional body-stat details to FitnessRec's API. Use a dedicated API key if possible, monitor quota or billing usage, and avoid personalized nutrition calls unless the user knowingly wants those body measurements used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs agents to transmit body measurements and sensitive health-related attributes such as age, gender, pregnancy/lactation status, and activity level to a third-party API without an explicit privacy warning, consent step, or data-minimization guidance. This creates a real privacy risk because users may disclose regulated or sensitive personal health data to an external service without understanding where it is sent or how it is handled.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The contains-based trigger "exercise" is broad enough to match many ordinary user requests that are not specifically intended for this skill, increasing the chance of unintended invocation. While this is not code execution or data exfiltration by itself, overbroad activation can route unrelated prompts to a network-enabled skill and cause unnecessary external requests or confusing behavior.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger "nutrition" is highly generic and, when used with a contains rule, can activate on a wide range of unrelated health, education, or general discussion prompts. This broad matching raises the risk of accidental skill invocation and unnecessary outbound API use in contexts where the user did not intend to call this integration.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The term "macros" is ambiguous shorthand that appears in many contexts and may trigger on conversations not meant to invoke a food API skill. Because activation is unconditional on substring presence, this can create spurious routing and external calls without strong evidence that the user wants this specific capability.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger "barcode" is not limited to food-product contexts, so it may match unrelated retail, logistics, hardware, or scanning queries. In a network-enabled skill, that overbreadth can cause unintended invocation and unnecessary interaction with the external service, even though the skill's intended use is branded food lookup.

Vague Triggers

Medium
Confidence
94% confidence
Finding
"Vitamin" is a common term across medicine, supplements, biology, and general wellness discussions, making it too broad for a contains-only activation rule. This can cause the skill to be invoked in contexts where the user is not asking for food database results, leading to misrouting and unintended API usage.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The term "nutrient" is overly generic and can appear in broad scientific, educational, medical, or policy discussions unrelated to this skill. Since the skill has network permission and an API key configuration, accidental activation may result in unnecessary outbound requests and degraded user trust, even if the direct security impact is moderate.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal