Back to skill

Security audit

Endurance Coach

Security checks across malware telemetry and agentic risk

Overview

The skill fits endurance coaching, but it persistently stores sensitive athlete data and private coach notes without clear upfront consent or review controls.

Review before installing. Use it only if you are comfortable authorizing Strava through the external endurance-coach npm CLI and keeping sensitive training, health, schedule, goals, and coaching notes under ~/.endurance-coach. Periodically inspect or delete Athlete_Context.md, coach.db, and any saved notes if you do not want that information retained, and treat race nutrition, caffeine, field testing, and high-volume plans as general guidance that may need a qualified coach or clinician.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs creating and updating `~/.endurance-coach/Athlete_Context.md` with sensitive personal information such as health status, family/work constraints, injuries, and coaching notes, but it does not require informing the user that this data will be stored locally. That creates a privacy and consent gap: users may disclose sensitive information expecting ephemeral use, while the agent persists it on disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to authenticate with Strava and sync training history, which imports third-party activity and fitness data, yet it does not require a clear privacy disclosure or explicit informed consent before access. Because training logs can reveal health, location, routines, and historical performance data, silent or poorly explained import increases privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section gives specific progression rules, long-session build guidance, and event-specific minimum training volumes without an explicit safety warning to individualize based on injury history, medical status, recovery capacity, age, heat, and experience. In an endurance-coaching skill, users may treat these numbers as prescriptive; that can contribute to overuse injury, overtraining, or unsafe ramp rates, especially for beginners or athletes returning from illness or injury.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section gives concrete carbohydrate, fluid, sodium, and caffeine dosing recommendations for long-endurance events without clear screening for age, body size, medical conditions, heat tolerance, medications, caffeine sensitivity, or known contraindications. In a coaching skill, users may treat these values as prescriptive advice; overhydration, underhydration, GI distress, hyponatremia risk, or adverse stimulant effects could result if the guidance is followed without individualization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.