Back to skill

Security audit

Personal Nutritionist

Security checks across malware telemetry and agentic risk

Overview

This nutrition tracker is not malware, but it stores and reuses sensitive personal health and eating-pattern information more broadly than its description clearly controls.

Install only if you are comfortable with a nutrition assistant keeping long-term memory about meals, goals, allergies, routines, and possible health or medication details. Before using it, review what will be written to MEMORY.md, decide whether to allow the heartbeat snippet and cron reminders, and make sure you know how to inspect, edit, delete, and disable saved memory and scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The heartbeat snippet explicitly instructs the skill to react to food mentioned 'in passing' and to prompt for logging, which contradicts the declared boundary that the skill should only trigger on explicit food-related messages. This creates unintended activation and collection of potentially sensitive dietary or health-related information from incidental conversation, undermining user consent and predictable behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The template directs the agent to persist a broad, evolving profile including health context, inferred behavioral patterns, routines, travel, and a synthesized 'who you are' identity summary. For a food logging skill, this exceeds strict data minimization and creates a concentrated store of sensitive personal and health-adjacent data that could be exposed, misused, or retained longer than necessary.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest materially misrepresents the skill's operational behavior by claiming zero CLI or binary use while the body instructs the agent to invoke the openclaw CLI for cron management. This can bypass user and platform expectations about execution surface and permission scope, making the skill more dangerous because users may consent under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest says the skill only triggers on explicit food-related messages, but the instructions also cover reminders, weekly synthesis, lifecycle events, and health disclosures. This trigger-scope mismatch can cause the skill to activate or retain context in situations the user would not reasonably expect, increasing privacy risk.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs persistent storage of health conditions, fitness goals, and medications, which are sensitive health data categories that exceed what is necessary for simple meal logging. Retaining this information in long-lived memory increases harm from unauthorized access, secondary use, profiling, or accidental disclosure across future sessions.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger condition is overly broad because any casual mention of food can cause the skill to engage and ask a follow-up question. In a nutrition skill that maintains long-term memory of eating patterns, this increases the chance of unsolicited profiling, incorrect meal logs, and privacy-invasive prompts from low-signal conversational context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow directs the agent to persist user-supplied goal, calorie, protein, restriction, and meal-time data into MEMORY.md, but never tells the user that this personal and health-related information will be stored long-term. That creates an informed-consent and privacy risk, especially because the skill description emphasizes a 'living memory' and retained profile data over time.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks for weight, height, age, and activity level to estimate calorie targets, which are sensitive health-related attributes, but provides no warning that this data may be collected, processed, and potentially retained. In a nutrition-tracking context this is relevant data, but the absence of notice and consent still makes the handling unsafe.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding script offers cron-based reminders and a 'quietly' running Sunday synthesis, but does not clearly explain that background scheduled jobs will be created and run automatically after setup. Hidden or insufficiently disclosed automation can surprise users, lead to unintended recurring processing of personal data, and reduce user control over ongoing behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly tells the agent to write memory updates in the background without notifying the user, despite handling diet, behavior, and potentially health-related information. Silent persistence undermines informed consent and makes it easier to accumulate a sensitive profile the user does not realize is being expanded.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cron reminders and synthesis jobs are designed to access MEMORY.md and daily notes proactively and in the background, but the privacy implications are not prominently disclosed at the point of setup. This creates a risk of ongoing automated processing of sensitive food, behavior, and health context beyond what the user may understand when enabling reminders.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill is architected to silently accumulate and reuse personal diet and behavioral data across sessions, which creates a durable profile without ongoing user awareness. Persistent cross-session profiling magnifies the impact of any later misuse, overcollection, or accidental disclosure because the data becomes richer over time.

Ssd 3

Medium
Confidence
94% confidence
Finding
The weekly synthesis directs the agent to read four weeks of logs and rewrite a holistic 'Who you are' profile and behavioral patterns section. This is sensitive inference and summarization, not just storage of user-provided facts, and it can create higher-risk personality and habit profiles that are more invasive than a basic nutrition tracker requires.

Ssd 3

High
Confidence
97% confidence
Finding
The skill directs persistent recording of health context and lifecycle events from casual disclosures, turning incidental conversation into durable sensitive records. In this nutrition-coaching context, that is especially dangerous because it combines health, behavior, and routine changes into a longitudinal profile that could expose intimate details if accessed or reused inappropriately.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.