ClawHub
Back to skill

Security audit

trainedby.ai MCP

Security checks across malware telemetry and agentic risk

Overview

This is a coherent trainedby.ai coaching integration, but it can read sensitive health and coaching records through an external MCP service.

Install only if you trust trainedby.ai with health, fitness, goals, reflections, and coaching profile data. Review the OAuth login carefully, expect the assistant to read recent timeline activity during relevant coaching sessions, and approve note saves only when you want that information retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is broad and includes common conversational phrases such as "set a goal," "how am I doing," and "what did I do last week," which can cause the skill to activate in ordinary chat without the user explicitly intending to access the trainedby service. In this skill's context, unintended activation is more dangerous because the connected tools retrieve and search sensitive health and coaching data, increasing the chance of unnecessary exposure or processing of personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill invites access to health data, fitness goals, reflections, and onboarding profile information but does not present a clear privacy warning or explicit consent boundary before retrieval and search operations. Because these tools can access sensitive personal wellness data, users may not realize that a seemingly simple coaching query could trigger searches across historical health-related records.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal