Workout Logger

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward workout logging skill; its data retention is expected for the purpose but should be treated as personal health-related information.

Safe to install based on the provided evidence. Because workout logs can reveal health, schedule, and habit patterns, use it only where you are comfortable storing that information, and review the host app’s controls for export, retention, and deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase "gym session" is broad enough to match ordinary conversation about fitness, increasing the chance the skill activates when the user did not explicitly intend to invoke it. Because this skill stores workout history and progress data, accidental invocation can lead to unintended collection or disclosure of sensitive health-related activity data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill description emphasizes remembering workouts and showing history, but it does not clearly warn users that their workout history and progress data will be persistently stored. This is dangerous because users may share health, schedule, and habit information without informed consent, creating privacy and trust risks if the data is retained or later exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal