TrainingPeaks

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TrainingPeaks command-line skill, but it handles live account credentials that users must protect carefully.

Install only if you are comfortable giving the skill access equivalent to your TrainingPeaks web session. Do not share the cookie, token files, command history, or logs containing credentials; refresh or revoke your TrainingPeaks session if you suspect exposure.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill advertises and relies on broad capabilities—environment access, file read/write, network access, and shell execution—while declaring no permissions. That creates a trust and containment gap: a user may invoke a skill that can exfiltrate cookies, tokens, profile data, or other local secrets without having been clearly warned about its effective privileges.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to extract a live browser authentication cookie and store it locally or in an environment variable, then exchanges it for a bearer token, but does not prominently warn that these are highly sensitive account credentials. Because this is cookie-based authentication to an internal API, compromise of the cookie or cached token could enable unauthorized access to training history, profile data, and possibly broader account actions until expiry or revocation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal