Back to skill

Security audit

Lose It Nutrition

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Lose It nutrition extractor, but users must protect the local password config and cached session token.

Install only if you are comfortable giving this tool access to your Lose It export. Prefer environment variables or the --zip flow on shared machines, keep config.json and the token file out of synced or backed-up folders, and treat the nutrition JSON output as personal health data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Session Persistence

Medium
Category
Rogue Agent
Content
data and store whatever you care about. The only file it writes locally is its own session-token cache
(`token_path`, mode 0600). Single static binary — **no Python or other runtime**.

> ⚠️ **Read-only** for your Lose It data — it reads the export and prints JSON. It is not a no-write
> tool, though: it caches its `liauth` **session token** (a reusable ~14-day credential) to
> `token_path` (mode 0600), and it reads your **plaintext** email/password from `config.json`. Both
> are secrets — see **Security & secrets** below.
Confidence
92% confidence
Finding
write > tool, though: it caches its `liauth` **session token** (a reusable ~14-day credential) to > `token_path` (mode 0600), and it reads your **plaintext** email/password from `config.json`. Both >

Unsafe Defaults

Medium
Category
Tool Misuse
Content
This tool handles two **sensitive** local files. Treat both as you would any password:

- **`config.json`** holds your Lose It **email and password in plaintext**. It is **gitignored** —
  never commit it, and don't drop it in a shared, world-readable, or backed-up location. On a shared
  machine, prefer the `LOSEIT_EMAIL` / `LOSEIT_PASSWORD` environment variables over a file on disk.
- **The session-token cache** (`token_path`, default `~/.config/loseit/token`) holds the `liauth`
  cookie — a **reusable, ~14-day session credential** for your account. It is written **owner-only
Confidence
89% confidence
Finding
world-readable

Unsafe Defaults

Medium
Category
Tool Misuse
Content
This skill handles two **sensitive** local files. Treat both as you would any password:

- **`config.json`** holds your Lose It **email and password in plaintext**. It is **gitignored** —
  never commit it, and don't place it in a shared, world-readable, or backed-up directory. On a shared
  machine, prefer the `LOSEIT_EMAIL` / `LOSEIT_PASSWORD` environment variables over a file on disk.
- **The session-token cache** (`token_path`, default `~/.config/loseit/token`) holds the `liauth`
  cookie — a **reusable, ~14-day session credential**. It is written **owner-only (`0600`)** in an
Confidence
78% confidence
Finding
world-readable

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.