Nutrition Dietetics

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only nutrition career roadmap API skill with purpose-aligned data fields and no executable code, installs, credentials, or persistence.

Safe to install from the artifacts reviewed, but treat the API as a third-party service: only send assessment details needed for the roadmap, avoid sensitive personal or medical information, and prefer pseudonymous session/user identifiers where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example request includes persistent-looking session identifiers, a user identifier, and timestamps, but the skill provides no privacy notice, minimization guidance, or data-handling disclosure. Even as sample data, this normalizes collecting and transmitting correlatable identifiers for career-profile information and can lead integrators to send unnecessary personal or pseudonymous data to a third-party API.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The API accepts session-linked and potentially user-linked assessment data, including experience, skills, goals, timestamps, and optional userId, yet the spec provides no privacy notice, data minimization guidance, or handling constraints. This creates a realistic risk of over-collection and inadvertent transmission of personal profile data by integrators or agents, especially in a personalized career-guidance context.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal