Back to skill

Security audit

Hevy

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Hevy API skill, but it is advertised mainly as a workout query tool while also exposing account-changing commands without built-in confirmation.

Install only if you intend to give an agent access to your Hevy account through HEVY_API_KEY. Treat this as a read/write account-management tool, not just a workout lookup helper, and review any create or update command before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires an API key and communicates with an external service, but the manifest does not clearly declare permissions or user-facing capability boundaries for environment access and network use. This creates a transparency and governance issue: users or orchestrators may treat the skill as lower risk than it is, despite access to personal fitness data and a remote API.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description presents the skill as query-only, but the documented behavior includes state-changing operations such as creating and updating workouts, routines, folders, and exercises. This mismatch is dangerous because an agent or user may invoke the skill assuming it is read-only, leading to unintended modifications to the user's Hevy account.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest advertises a query-only workout data skill, but the documentation exposes create and update actions for routines, folders, and custom exercises. In the skill context, this makes the issue more dangerous because users asking about workout history would not reasonably expect account mutations, increasing the chance of accidental or unauthorized changes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file claims the CLI focuses on read operations while also documenting multiple write commands as supported behavior. This contradictory guidance can mislead operators, reviewers, or automated systems into underestimating the risk of the tool and permitting use in contexts where only non-mutating access should be allowed.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata says this is a query-oriented workout data skill, but the client exposes multiple state-changing operations that can create or modify workouts, routines, folders, and exercise templates. In an agent setting, this expands capability beyond the declared user expectation and can lead to unauthorized or surprising remote changes to a user's fitness account if these methods are invoked by prompt confusion, tool misuse, or malicious instruction injection.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it is for querying workout data, but the CLI also exposes mutating operations that create and update routines, folders, and exercises. In an agent setting, this capability mismatch can bypass user and platform expectations, causing unauthorized state changes to a user's Hevy account when the skill is invoked under a read-only trust model.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These methods perform remote state-changing operations for workouts without any built-in confirmation, authorization gating, or friction. In an agent environment, a mistaken tool call or prompt-injected instruction could cause unwanted creation or modification of a user's workout records, impacting data integrity and trust.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The routine, folder, and exercise-template write methods allow modification of remote account data with no explicit confirmation or scoped restriction visible in this file. Because the skill context is presented as workout querying, these hidden write paths are more dangerous: an agent or downstream consumer may treat the skill as read-only and inadvertently trigger persistent account changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.