BestYou Health Intelligence

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed BestYou health-data integration, with the main risk being careful handling of its API key and sensitive wellness insights.

Install only if you trust BestYou with processed health insights from your account. Treat BESTYOU_API_KEY like a password: avoid committing or syncing config files that contain it, restrict local file permissions where possible, and revoke or rotate the key in the BestYou app if it is exposed or no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The setup guide instructs users to export a live API key in the shell and also shows putting the bearer token directly into a JSON config file, both of which can leave credentials exposed in shell history, dotfiles, backups, or readable local configuration. Because this skill handles health-related account access, a leaked token could allow unauthorized access to sensitive personal wellness data and permitted actions such as workout or nutrition plan changes.

VirusTotal

No VirusTotal findings

View on VirusTotal