Back to skill

Security audit

Symptom

Security checks across malware telemetry and agentic risk

Overview

This is a local symptom-tracking skill that stores user-entered health notes on disk; the privacy tradeoff is real but disclosed and aligned with its purpose.

Install only if you are comfortable keeping symptom and wellness notes in plaintext files on this computer. Avoid using it on shared accounts, protect or encrypt your home directory if the notes are sensitive, review or delete ~/.local/share/symptom when needed, and verify the export command before relying on it for backups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This skill handles health-related entries and states that actions are logged with timestamps, yet the primary description does not prominently warn users that sensitive symptom data is stored persistently in local logs and history files. Because health information is highly sensitive, insufficient disclosure can lead users to enter private data without understanding retention and local exposure risks on shared or compromised machines.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script stores user-entered health information in plaintext under ~/.local/share/symptom without warning the user that sensitive medical-style data will persist on disk. In a health context, silent local retention increases the risk of unintended disclosure to other local users, backups, support tooling, or anyone with access to the account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The export function consolidates all stored logs into plaintext json/csv/txt files with no warning that highly sensitive health-related entries may be copied into a more shareable form. Exported files are easier to leak through email, syncing, backups, or accidental sharing, so the health-data context makes this materially more dangerous.

Ssd 3

Medium
Confidence
94% confidence
Finding
User-provided health inputs are retained broadly across multiple plaintext log files and then surfaced through search, recent, status, and export functionality, increasing the number of ways sensitive information can be redisclosed. Because this skill handles symptom and health-pattern data, broad retention and easy replay materially raise privacy and confidentiality risk even without network transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.