Withings Family

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Withings health-data integration that stores local OAuth tokens, with privacy considerations but no evidence of hidden or malicious behavior.

Install only if each person whose Withings account is added has authorized that access. Keep the local skill directory and token files private, revoke Withings app access or delete token files when access is no longer needed, and use explicit limits for body-composition history when you do not want broad historical output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill is designed to access multiple family members' health data and store per-user OAuth tokens locally, but it does not prominently warn about consent, sensitivity of health information, or the need to ensure authorization for each person. Because the data includes weight, body composition, activity, and sleep, misuse could expose highly sensitive medical-adjacent personal information across multiple individuals.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal