Cn Weight Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local Chinese weight-tracking helper that stores the user’s weight data in one local JSON file and does not show network, credential, or hidden behavior.

Install only if you are comfortable storing weight, height, BMI-related values, and targets locally in the skill’s JSON file. The reviewed version does not appear to upload data or access credentials, but the stored health data is still personal and should be treated accordingly.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill documentation instructs execution of a local Python script and explicitly identifies a local JSON data store, which implies file read/write behavior without any declared permissions. Undeclared capability use undermines transparency and informed consent, and in agent ecosystems it can enable broader-than-expected access if the runtime grants filesystem operations implicitly.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal