Apple Watch Health Sync

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for local Apple Watch health syncing, but it handles sensitive health data with overly broad persistence, privilege, sharing, and network exposure defaults.

Install only if you are comfortable running a persistent local health-data server. Keep it on a trusted private network, avoid elevated startup tasks, do not share the API key in chat or screenshots, limit selected health metrics, and plan how to stop the service, rotate the key, and delete stored data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: import flask # noqa: F401 except ImportError: print(" Flask not found, installing...") subprocess.check_call([sys.executable, "-m", "pip", "install", "flask"]) print(" Flask installed.")
Confidence: 90% confidence
Finding: subprocess.check_call([sys.executable, "-m", "pip", "install", "flask"])

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to add heartbeat tasks that continuously monitor sensitive health data and send proactive messages such as wake-up alerts. That exceeds the stated on-demand sync/query/troubleshooting purpose and introduces ongoing surveillance of highly sensitive personal information without clear consent boundaries.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The instructions tell the agent to send local files and screenshots to the user, including handling the API key from .env.json and sharing dashboard/tutorial artifacts. This broadens data handling beyond the core sync function and increases the risk of exposing secrets or sensitive health summaries through insecure channels.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The setup script installs packages, runs system commands, and later downloads code from GitHub, which expands far beyond a passive health-data query capability. This matters because users may run it expecting simple local setup, while it actually changes the environment and pulls in external dependencies that can affect system integrity.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation says everything stays in the skill directory, but the script reaches out to GitHub and package indexes. That mismatch can mislead users about data flow and system changes, undermining informed consent and increasing trust in actions they may not expect.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs the agent to read the API key from .env.json and send it to the user, but provides no warning about secret handling, channel trust, or risks of interception. API keys are authentication secrets; disclosing them through chat or attachments can allow unauthorized access to private health data endpoints.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The heartbeat section proposes periodic checks of sleep and heart-rate data and using results to message the user, without an explicit privacy warning or consent step. Because health data is highly sensitive, routine polling and inferred-status messaging materially increases privacy risk even if the data never leaves localhost.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatically installing packages and performing remote downloads without an explicit warning is risky because it modifies the machine and depends on third-party infrastructure. In the context of a skill that will process health information, users should be clearly informed before any setup step that changes the environment or reaches external services.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script generates `.env.json` containing an API key and writes it to disk without an upfront privacy/security warning. While local file creation is expected in setup tooling, writing credentials should be disclosed clearly so users understand what sensitive material is being stored.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The generated server accepts, stores, and serves Apple Health data, but the setup flow does not prominently explain the privacy implications of exposing and retaining highly sensitive personal health records. Because health data is especially sensitive, insufficient warning materially increases the risk of accidental overexposure or unsafe deployment.

Ssd 3

High

Confidence: 97% confidence
Finding: The skill instructs the agent to disclose a locally stored secret file's contents by reading .env.json and sharing the API key with the user. Normalizing secret extraction from local storage is dangerous because the same pattern can expose credentials through logs, screenshots, or misaddressed messages, enabling unauthorized access to health records.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The heartbeat workflow normalizes sending health-related messages based on continuously monitored private data, such as sleep timing and heart-rate checks. Even if intended as a convenience feature, this operationalizes sensitive inference and disclosure from private medical-adjacent data without strong safeguards.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal