Back to skill

Security audit

Gevety MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Gevety health-data skill that uses a user-provided token to read sensitive health information from Gevety's API, with no evidence of hidden or unrelated behavior.

Install only if you want your agent to access your Gevety account health data. Use a dedicated Gevety API token, keep it out of chat when possible, revoke it when no longer needed, and ask for only the specific labs, medications, documents, or wearable data you need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The manifest description is very broad and covers many categories of health data and functions, which can cause the skill to be invoked for loosely related health queries without the user clearly intending to send sensitive information to Gevety. In a health-data skill, overbroad routing is more dangerous because accidental invocation may transmit highly sensitive medical, biomarker, medication, and document data to an external API.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill begins by encouraging retrieval of the user's health data via REST API but does not present an upfront privacy warning that sensitive health information will be transmitted to an external service. Because this skill handles especially sensitive categories such as biomarkers, medications, medical profile, lab reports, and clinical findings, users may disclose or trigger access to regulated-style health data without informed awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.