Security audit

Megan

Security checks across malware telemetry and agentic risk

Overview

This nutrition skill is coherent and disclosed, with local food/profile logging only when the user asks for persistence and confirms it.

Install only if you are comfortable storing nutrition profile and daily food-log data locally. Use the persistence feature intentionally, avoid entering medical information you do not want retained, and delete ~/nutrition-data if you later want the stored records removed.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs storing sensitive user data such as sex, age, weight, cycle dates, allergies, and daily food logs in local files. This exceeds the declared advice-only scope and creates a privacy and data-retention risk, especially because reproductive-health and dietary data are sensitive and persistence can occur outside clear user expectations despite a confirmation prompt.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.