Back to skill

Security audit

Personal Health Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Fitbit health-data skill, but it gives the agent broad access to sensitive health data and unrestricted local Python execution without enough containment or disclosure.

Review carefully before installing. Use only on a trusted personal machine, avoid pasting reusable secrets into chat if possible, protect or delete the local data directory when done, and do not let generated or untrusted Python run through the analysis helper unless you understand it can access local files and sensitive Fitbit data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

exec() call detected

High
Category
Dangerous Code Execution
Content
stdout = io.StringIO()
    try:
        with contextlib.redirect_stdout(stdout):
            exec(code, namespace)
        output = stdout.getvalue()
        if output:
            print(output)
Confidence
99% confidence
Finding
exec(code, namespace)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly invokes local scripts that read and write local state, access environment/configuration, and communicate with Fitbit services, yet the manifest declares no permissions. This creates a transparency and consent problem: users and platform policy engines are not told that sensitive health data, OAuth material, and local files will be accessed and modified.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The manifest markets the skill as a health assistant, but the documented behavior includes OAuth credential handling, token exchange, local profile storage, network sync, chart generation, and arbitrary Python execution. That mismatch is dangerous because users may grant trust appropriate for a wellness assistant without realizing the skill has much broader code-execution and data-handling capabilities.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to execute arbitrary Python strings against locally available Fitbit datasets. In an agent setting, this can become a code-execution primitive that enables unintended file access, data exfiltration, environment inspection, or abuse beyond health-data analysis, especially if user-controlled input is ever passed through.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file presents itself as a Fitbit analysis utility, but the implementation actually provides general-purpose Python execution. This mismatch is dangerous because users and higher-level agents may assume scoped data analysis while the tool can perform arbitrary actions on the host and exfiltrate sensitive health information.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
For a personal health assistant, exposing arbitrary Python execution is unjustified and materially increases risk. In this context, the tool has access to intimate health data and local paths, so an attacker could read, modify, or export sensitive information or run host-level commands under the guise of analysis.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The docstring suggests a bounded environment with a few helper variables and preloaded DataFrames, but exec() does not enforce those limits. This deceptive framing increases the chance that users or calling agents will treat the tool as safe analytical scaffolding when it is actually a full arbitrary-code executor.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README encourages very broad natural-language health queries without defining clear trigger boundaries or limiting what actions the agent may take in response. In a health-focused skill, ambiguous invocation scope can cause over-collection, over-analysis, or unintended disclosure of sensitive Fitbit data when the agent interprets loosely phrased requests too broadly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that sensitive health data is stored locally and processed by the agent, but it does not prominently warn users about the privacy risks of storing regulated-like wellness data on disk or exposing it to the hosting LLM/runtime. Because the skill handles highly sensitive biometric and health-adjacent information, understated privacy warnings increase the chance that users enable the skill without understanding retention, local compromise, backup leakage, or model-access implications.

Missing User Warnings

High
Confidence
97% confidence
Finding
The setup flow tells users to paste their Fitbit Client ID and especially Client Secret directly to the agent without any warning or safer handling path. Secrets shared in chat may be logged, retained, exposed to operators, or reused by other components, making this an avoidable credential-exposure risk.

Missing User Warnings

High
Confidence
96% confidence
Finding
The authorization step asks the user to paste the full redirect URL back into the agent, which can include sensitive authorization artifacts such as codes or state values. Collecting these through chat risks token interception via logs or transcript retention and conditions users to disclose OAuth credentials unsafely.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill begins by encouraging health analysis and coaching but does not upfront disclose that it will access, sync, store, and analyze sensitive wearable health data. In the context of Fitbit-derived sleep, heart rate, HRV, SpO2, and related metrics, insufficient privacy notice increases the risk of uninformed consent and inappropriate sharing of highly sensitive personal information.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script enables execution of user-supplied Python against local Fitbit data without warning that code will run with interpreter-level capabilities. In a health-data context, this materially elevates privacy and host-compromise risk because sensitive datasets can be inspected, copied, or combined with broader system access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The direct exec() of untrusted input occurs without any consent prompt, policy gate, or sandbox. That makes exploitation straightforward: any upstream prompt injection or malicious input that reaches this script can immediately execute arbitrary code and access local health files and the broader environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
OAuth access and refresh tokens are written to a local JSON file without any warning, permission tightening, or secure storage controls. On a shared machine or compromised local account, an attacker could steal the refresh token and obtain ongoing access to sensitive Fitbit health data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script is explicitly designed to generate health insights proactively, without the user asking, from highly sensitive wearable and health data. In a personal health assistant context, unsolicited analysis can expose intimate inferences, surprise users, and violate consent and expectation boundaries, especially when the output includes quasi-medical interpretations such as illness, stress, recovery, and cardiovascular fitness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists a health profile containing sensitive data such as health goals and optional health conditions to a predictable local JSON file, but the user-facing flow does not clearly warn at write time that this data will be stored on disk. In a health-assistant context, this is more sensitive than ordinary preferences because local disclosure through shared accounts, backups, logs, or compromised endpoints can expose personal health information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists Fitbit OAuth client credentials in a local .env file without warning the user or applying any protection such as restrictive file permissions or a dedicated secrets store. In a health-data skill, these credentials can enable unauthorized API use or facilitate further token acquisition if the local environment is shared, backed up, or otherwise exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script saves OAuth token material to disk in JSON without any user-facing disclosure or apparent hardening. Because this skill handles sensitive Fitbit-derived health information, theft of the token file could allow ongoing API access to personal health data until the token is revoked or expires.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script stores highly sensitive health and profile data in plaintext JSON under a predictable local path without any access control, encryption, retention limit, or warning to the user. On a shared system or compromised host, these files could be read by other users or malware, exposing medical-adjacent biometric history and profile details.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal