Nexus — Workout & Nutrition Tracker

Security checks across malware telemetry and agentic risk

Overview

This fitness-tracking skill is transparent about using a cloud-backed Nexus CLI, with privacy considerations but no evidence of hidden or malicious behavior.

Before installing, review the Nexus privacy policy and OAuth prompts, and avoid logging sensitive details you do not need. Treat friend-history features as access to another person's personal fitness data, and remember that installing the CLI runs third-party package code on your machine.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly states that workout, meal, and weight data are stored in the cloud, but it does not warn users that this is sensitive health-related personal data leaving the local terminal environment. That omission can mislead users into sharing intimate fitness and nutrition information without informed consent, especially in an agent context where users may assume commands are local and low-risk.

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The skill documents `--friend-id` history access and friend-management features without an explicit caution that this exposes other users' shared fitness data and should only be used with appropriate authorization and user intent. In an agent setting, this can normalize accessing third-party data without sufficient consent awareness, increasing the risk of privacy misuse.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal