Security audit

Garmin Realtime Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly guidance about Garmin real-time data options, not working tracking software, but users should treat any live location or health-data sharing as sensitive.

Install only if you want high-level guidance on Garmin real-time data approaches. Before using it for any live tracking or external data delivery, make sure the tracked person gives informed consent, the destination system is trusted, only necessary data is collected, transport is secured, and retention/sharing rules are defined.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (3)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 99% confidence
Finding: This is a mismatch because the declared purpose describes a functional Garmin real-time tracking and data delivery skill, but the actual code does not implement any of that behavior. It neither connects to Garmin devices nor accesses live location, activity, or sensor streams, and it does not push data to any external system. There are no hidden extra capabilities; instead, the primary issue is that the code's actual behavior is materially different from the described purpose.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The activation language is broad enough to trigger on many generic requests involving Garmin data or external delivery, including privacy-sensitive scenarios. That increases the chance the skill is invoked without clear user intent for live tracking or data exfiltration, which is risky given the subject matter involves location and health-related telemetry.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill discusses pushing live location, activity, and sensor data to external systems without clearly warning about consent, privacy, retention, third-party sharing, and sensitivity of health/location data. In this context, missing safeguards is dangerous because users could be guided into building or enabling continuous surveillance or health-data transmission without understanding the implications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal