Security audit

Wellness Hub

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for wellness data, but it handles sensitive health information through a public-tunnel bridge with weak disclosure and an unauthenticated status endpoint.

Review before installing if you plan to sync real health data. Keep the tunnel URL and bearer token private, avoid cloud-storing the token unless you accept that risk, stop the tunnel when not syncing, confirm every destination before posting digests to chat, and periodically delete stored bridge payloads you no longer need.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill orchestrates installation of other skills, authorization flows, local storage of tokens, file-based ingestion, digest generation, and optional message pushing, which collectively imply shell, file, network, and environment access despite no declared permissions. This mismatch undermines least-privilege controls and informed review, especially because the skill processes sensitive health data and can write or push derived content into chat channels.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation language is broad enough to trigger on many generic wellness or health-related requests, which can cause the skill to activate in contexts where users did not intend data aggregation, app installation, or authorization workflows. Because this skill acts as a hub that can install source skills and handle sensitive health integrations, overbroad matching increases the chance of unexpected high-privilege behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill is designed to collect, normalize, summarize, and push highly sensitive health data into chat channels, yet the user-facing description does not prominently warn about privacy, retention, or integrity risks. In this context, lack of explicit notice is dangerous because users may authorize multiple data sources and enable scheduled pushes without understanding where health information will be stored, merged, or sent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation instructs users to expose a local health-data ingestion service through a public tunnel, but it does not explicitly warn that this makes the endpoint internet-reachable and may expose sensitive medical or wellness data if the token is leaked, guessed, logged, or misconfigured. Because the bridged data concerns health information and the guide normalizes public exposure as a setup step, the missing privacy and threat warning materially increases the chance of unsafe deployment and accidental disclosure.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The documentation instructs users to send a bearer token and health-related data to a tunnel-exposed remote endpoint, but it does not warn about the sensitivity of the data, token handling, or the risks of exposing ingestion services over a public tunnel. In a wellness skill, this context increases concern because the transmitted payload may include sensitive health information, and poor user understanding could lead to privacy leakage or unauthorized data submission if the token or endpoint is mishandled.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document instructs users to send sensitive Apple Health aggregates and a bearer token to a remote tunnel URL, but it does not clearly warn about the privacy implications, data sensitivity, retention, or trust boundary involved. In the context of a wellness aggregation skill, this omission is especially risky because health data is highly sensitive and tunnel endpoints can expose personal data to unintended recipients if misconfigured, shared, or intercepted through user error.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This document specifies transmission and retention of sensitive health data and explicitly states that the bridge will store the full JSON as-is, but provides no privacy notice, data minimization guidance, retention limits, or handling constraints. In a wellness skill, this is especially risky because the payload can contain protected health information and metadata such as timezone and timestamps that increase identifiability.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The bridge persists sensitive wellness data to local disk in plaintext JSON and also records the full stored file path in metadata exposed by the unauthenticated /status endpoint. In this wellness context, the data is highly sensitive, so lack of explicit user warning, retention controls, and broad local exposure increases privacy and confidentiality risk if the host, tunnel, or local account is accessed by others.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal