Back to skill

Security audit

Speediance Gym Monster

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Speediance CLI integration that reads workouts and creates user-requested programs using the user's own account credentials.

Install only if you are comfortable giving the tool your Speediance email/password and allowing it to cache a session token. Prefer real environment variables or a trusted, gitignored .env/config.json, run from directories you control, check `config path` for token location, and use `push --dry-run` before creating programs on your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Credential Access

High
Category
Privilege Escalation
Content
// a stray or hostile .env could escalate into the tool's runtime. godotenv.Read
	// returns the file as a map and changes no global state, so unknown keys are
	// never applied. The documented feature is preserved: SPEEDIANCE_* values in
	// .env still act as the env layer. A missing/unreadable .env yields a nil map
	// and is a silent no-op.
	dotenv, _ := godotenv.Read()
Confidence
65% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
// a stray or hostile .env could escalate into the tool's runtime. godotenv.Read
	// returns the file as a map and changes no global state, so unknown keys are
	// never applied. The documented feature is preserved: SPEEDIANCE_* values in
	// .env still act as the env layer. A missing/unreadable .env yields a nil map
	// and is a silent no-op.
	dotenv, _ := godotenv.Read()
Confidence
65% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.