Habit AI

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Habit AI integration, but users should understand it can send sensitive health and journal data to Habit AI.

Before installing, be comfortable with your agent sending health-related text, food photos, journal entries, weight, and similar data to Habit AI. Avoid sending unnecessary medical details, secrets, or unrelated personal information, and review Habit AI's privacy and deletion practices.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill handles highly sensitive health data, including nutrition logs, journal entries, profile data, and food photos, but the setup and usage guidance do not clearly warn users that this information is transmitted to a third-party service. This creates a real privacy and consent issue because users may disclose medical- or health-adjacent information without understanding where it is sent or stored.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The API reference documents highly sensitive health, behavioral, and journal-processing endpoints, including AI analysis of food images and coaching features that rely on personal history, without any privacy, retention, consent, or transmission-sensitivity guidance. In a skill context, this increases the chance an agent will collect and transmit intimate health and journaling data without adequately informing users or minimizing disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal