Back to skill

Security audit

Feast - Intelligent meal planning, region and season aware shopping lists, respects dietary requirements, provides recipes, and generates immersive mealtime playlists

Security checks across malware telemetry and agentic risk

Overview

Feast is a coherent meal-planning skill, but users should understand that it stores personal food preferences and can create scheduled reminders through configured channels.

Before installing, be comfortable with Feast keeping meal history, dietary restrictions, allergies, location, schedule, budget, store preferences, and notification settings in workspace/meals. Use an explicit notification channel instead of auto if privacy matters, only enable Pushbullet or ntfy if you understand those services, and remove the stored cron jobs if you stop using Feast.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs reading and writing user workspace files (`profile.yaml`, `history.yaml`, weekly plans) and running a history-update script, yet no declared permissions are present. Undeclared file capabilities weaken user/admin visibility into what the skill can access and modify, increasing the risk of overbroad data access or unintended persistence without informed approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The onboarding flow instructs the agent to establish recurring cron jobs that can deliver messages over multiple external channels and optional push services, including invoking an external script and posting to ntfy. That materially expands the skill from meal planning into a general notification/automation capability, creating a path for persistent unsolicited messaging, cross-channel data leakage, and abuse if profile data or reminder content is manipulated.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The top-level description contains broad usage phrases like meal planning, recipe ideas, shopping lists, and cooking help, which overlap with ordinary conversation. This can cause the skill to activate unintentionally and access or modify persistent meal data when the user only wanted casual advice, creating privacy and integrity risks through accidental invocation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Example trigger phrases such as 'What's the meal plan status?', 'Let's plan next week's meals', and 'What's for dinner?' are common utterances that a user might say outside this skill. If these phrases auto-route into Feast, the skill may reveal stored personal schedule data, generate plans, or update workflow state without the user intentionally invoking it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill supports sending reminders and push notifications through Telegram, Discord, Signal, Pushbullet, and ntfy, but does not prominently warn that meal plans, schedules, and related personal preference data may be transmitted to third-party services. This creates a real privacy risk because users may unknowingly expose lifestyle, dietary, and timing information beyond the local workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The specification explicitly collects and stores sensitive personal data including location, dietary restrictions, allergies, budget, and household details, but it does not define privacy notices, consent flow, retention limits, access controls, or minimization rules. In a meal-planning context this data is not inherently unsafe to process, but storing it in workspace files without explicit safeguards creates privacy and misuse risk if the workspace, logs, or downstream integrations are exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The notification design sends meal-plan content and reminders through third-party channels such as Telegram, Discord, Signal, Pushbullet, and ntfy via external messaging or HTTP POST, but the specification does not require explicit user opt-in, transmission warnings, or redaction rules. That can expose sensitive routine, dietary, and household information to external services or misconfigured topics, especially for push systems like ntfy where topic-based delivery can be publicly guessable if not carefully configured.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill collects dietary restrictions, religious constraints, location, schedules, and channel preferences, then sets ongoing reminders, but it does not require a clear disclosure that this information will be stored and used for recurring notifications. Because some of this data is sensitive personal information, collecting it without explicit notice and consent increases privacy risk and the chance of unexpected outreach on external channels.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions direct the agent to save user profile data into workspace files such as profile.yaml, history.yaml, favourites.yaml, and failures.yaml without a retention policy, access warning, or deletion guidance presented to the user at collection time. This creates avoidable privacy exposure because sensitive dietary, religious, household, and behavioral data may persist indefinitely in local skill storage.

Session Persistence

Medium
Category
Rogue Agent
Content
- "Turn off morning hints"
- "Enable Pushbullet notifications"

When updating, remove old cron jobs using stored IDs and create new ones with updated settings.

## Workflows
Confidence
79% confidence
Finding
create new ones with updated settings. ## Workflows ### Onboarding Read [references/onboarding.md](references/onboarding.md) for the full flow. Essential questions: 1. Location (for seasonality, u

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.