Back to skill

Security audit

Healthcheck Rose

Security checks across malware telemetry and agentic risk

Overview

This is a simple local health tracker that stores water and sleep records in a JSON file, with no evidence of network access, credential use, hidden execution, or destructive behavior.

Install only if you are comfortable with sleep and water history being kept locally in `health-data.json`. Use clear, intentional commands when recording entries, and keep the file out of shared folders if the data is private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The water-record trigger is loosely specified and tied to common natural-language phrases, which can cause unintended activation during ordinary conversation or quoted text. Because the action writes persistent health data to disk, accidental invocation can silently create false personal records and undermine data integrity.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The sleep-record trigger uses a very common phrase that may appear in normal conversation, planning, or narration, making unintended execution plausible. Since the command persists health-related events, false sleep entries can accumulate and distort sensitive personal tracking information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The wake-record triggers are ordinary phrases likely to occur outside a command context, increasing the chance of accidental activation. In this skill, that risk is amplified because the action both writes to storage and computes derived sleep duration, producing misleading health history and stats.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill handles personal health-related data and supports creation, update, and deletion of records, yet the description does not clearly disclose this persistence or modification behavior. Insufficient disclosure can lead users to unknowingly store sensitive routine data locally and underestimate the consequences of accidental or unauthorized changes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.