Security audit

Cycle Sync Training

Security checks across malware telemetry and agentic risk

Overview

The skill’s cycle-based fitness purpose is coherent, but it handles sensitive menstrual-health data with broad triggers and unclear privacy controls.

Review this before installing if users may share menstrual, symptom, mood, or energy data. Use it only where users explicitly opt in to cycle-based coaching, understand that data may be stored in Supabase and sent through messaging services, and have a way to limit, delete, or keep sensitive responses out of third-party channels.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

High

Confidence: 95% confidence
Finding: The trigger explicitly states the skill should activate even when the user asks generally about women’s workout plans without mentioning cycle-related topics. That broad routing can cause the agent to inject menstrual-cycle assumptions into unrelated fitness requests, leading to unnecessary collection or inference of sensitive reproductive-health data and inappropriate tool use.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger keywords include generic terms such as 'cycle', 'phase', and 'hormone' that are ambiguous outside this domain and may overlap with unrelated conversations. This increases accidental activation risk, which is especially sensitive here because the skill handles intimate health data and could steer responses toward reproductive-health assumptions.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill documents logging menstrual phase, symptoms, mood, energy, dates, and user identifiers, which are sensitive health-related data. Without any user-facing notice, consent flow, retention policy, or handling constraints, the design risks covert collection and storage of regulated or highly private information.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The integration flow shows user cycle history and related data passing through Supabase and then responses being sent to LINE Notify / Facebook, but the skill provides no warning that sensitive reproductive-health information may leave the core system or appear in third-party messaging channels. Exposure through external services increases privacy, compliance, and unauthorized disclosure risks, especially if messages are visible on shared devices or managed by external providers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal