Back to skill

Security audit

HerCycle

Security checks across malware telemetry and agentic risk

Overview

The skill appears to handle sensitive reproductive-health and biometric data, but its activation and possible external actions are not scoped tightly enough for that sensitivity.

Review this skill carefully before installing. Only use it if you are comfortable with an agent accessing or inferring menstrual-cycle and biometric data, and require explicit confirmation before it connects to live health services or performs any external action such as changing schedules, sending messages, or calling third-party tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation description is broad enough to match common requests about energy, mood, diet, exercise, and scheduling, which can cause the skill to activate in situations where the user did not clearly intend to invoke a menstrual-cycle and biometric analysis tool. In this skill, that is especially sensitive because invocation may lead to access to reproductive-health and biometric data, making over-triggering a privacy and consent problem rather than just a routing issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accesses highly sensitive health data, including biometric signals and menstrual-cycle information, and may infer cycle phase even when explicit logs are absent. Failing to clearly warn users about this collection and inference undermines informed consent and increases the risk of unexpected processing of reproductive-health data, which is particularly sensitive in many privacy and regulatory contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file states that a module may 'return a recommendation string or trigger an external action' without defining what actions are permitted, what user consent is required, or what safeguards apply. In a skill that makes health- and schedule-related recommendations, undisclosed external actions could modify calendars, send messages, or call third-party services in ways the user did not explicitly authorize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.