Back to skill

Security audit

Withings (Official API)

Security checks across malware telemetry and agentic risk

Overview

This skill coherently connects to Withings to fetch personal wellness data, but users should protect the local token and exported health files.

Install only if you are comfortable granting Withings access for the listed wellness data. Keep the token path and raw/normalized JSON outputs in a private directory, avoid shared temporary locations for retained exports, and revoke or rotate the Withings OAuth grant if the token file may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities to read environment variables, perform file reads/writes, access the network, and invoke shell commands, yet no explicit permissions are declared. For an OAuth integration handling tokens and health data, this under-declaration reduces transparency and can lead users or the host platform to grant broader effective access than they realize. The context makes this more sensitive because the skill stores refresh tokens locally and retrieves personal health information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill handles OAuth credentials, persists tokens locally, and accesses sensitive personal health data, but the description does not prominently warn users about credential storage, token persistence risks, or the scope of medical/wellness data access. This omission can cause users to authorize the integration without informed consent about local secret storage and exposure of health measurements, increasing the chance of privacy harm if the host machine or files are compromised.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.