查询高驰（COROS）运动手表的跑步运动数据

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed COROS fitness-data helper that logs in with user-provided credentials and reads running activity data, with no evidence of hidden or destructive behavior.

Install only if you are comfortable giving the skill access to your COROS account and running history. Treat COROS_ACCOUNT and COROS_PASSWORD as secrets, do not commit or share scripts/.env, avoid logging the generated MD5 password value, and rotate your COROS password if that value is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to store a password-derived MD5 value in a .env file without warning that it is a sensitive credential equivalent or near-equivalent for authentication. Even if hashed, an MD5 password value may be reusable for login or vulnerable to offline cracking if exposed, so treating it as non-sensitive can lead to credential compromise.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill is designed to access personal fitness activity data from a user's COROS account, but the documentation does not clearly warn that it processes private health/behavioral data. This lack of disclosure can lead to uninformed use, inappropriate sharing, or deployment in contexts where users do not understand the privacy implications.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal