Fitness Finder

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Camino fitness-location search skill that uses your Camino API key and sends search/location details to Camino as expected.

Install this only if you are comfortable sharing fitness searches and any provided location coordinates with Camino and using your Camino API quota. Keep CAMINO_API_KEY private, and install the specific fitness-finder skill rather than the full Camino suite unless you intend to review and use the companion skills too.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill declares shell-based execution requirements (`curl`, `jq`) and provides shell script usage, but does not declare corresponding permissions. This creates a permission/transparency gap: users and host systems may underestimate the skill's ability to execute commands and access environment-provided secrets during runtime.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script sends user-provided query text and precise location parameters (lat/lon, radius) to a third-party API without any explicit user-facing notice, consent prompt, or minimization. In a location-search skill, this transmission is functionally necessary, but it still creates a real privacy risk because potentially sensitive location data is exported off-host to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal