ClawHub

Fitbit (Official API)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Fitbit integration, but it defaults to broader health/profile access than its daily activity and sleep purpose requires.

Review the Fitbit consent screen before authorizing. Set FITBIT_SCOPES to only the permissions you need, likely activity and sleep for this workflow, choose a private token path, avoid storing raw output in shared locations, and override FITBIT_TZ for your actual timezone.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script writes full raw Fitbit API responses and endpoint URLs directly to disk instead of producing a minimized, normalized daily summary. Because the data includes sensitive health information, storing unnecessary raw payloads increases privacy exposure and downstream leakage risk if the output file is shared, indexed, or read by other tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly requires OAuth client credentials and stores refresh/access tokens locally, but it provides no warning about protecting those secrets or securing the token file. If the token path is readable by other users, committed to source control, or logged accidentally, an attacker could reuse Fitbit tokens or client secrets to access private health and activity data.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Using `Asia/Shanghai` as the default timezone without user opt-in can silently mis-normalize daily activity and sleep summaries for users in other regions. In a wellness context, date-boundary errors can lead to incorrect daily aggregates, misleading reports, and privacy surprises if users assume data is interpreted in their local timezone.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal