Nutrition

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local nutrition tracker that stores meal and supplement records on the user's device, with no evidence of hidden execution or data transfer.

Install only if you are comfortable keeping nutrition, meal, supplement, and goal records under ~/nutrition/ on your device. Review or delete that folder if you no longer want the information retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs creation of a persistent workspace under the user's home directory, but nowhere tells the user that meal, supplement, and health-related nutrition data will be stored locally. Because nutrition logs can reveal sensitive health habits and conditions over time, silent persistence creates a meaningful privacy risk even if the data never leaves the machine.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The meal-logging instructions tell the agent to add user-described meals to a daily log, which means personal dietary and supplement information will be retained across sessions without an explicit storage warning at the point of collection. This is dangerous because users may disclose sensitive health, lifestyle, or religious information while assuming the interaction is ephemeral.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal