Security audit

FTPilot

Security checks across malware telemetry and agentic risk

Overview

FTPilot is a coherent cycling coaching skill that uses disclosed Intervals.icu credentials and tools, with no evidence of hidden, destructive, or unrelated behavior.

Install only if you are comfortable connecting an Intervals.icu API key and athlete ID to the MCP tools. Review generated workouts before creating calendar events, and protect the API key because it may allow access to private training and wellness data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases are broad and overlap with common cycling and fitness queries such as "training plan," "my FTP," and "analyze my ride," which can cause the skill to activate in situations the user did not explicitly intend. Because the skill can access athlete data and create workout events, unintended invocation could expose private training data or cause unwanted calendar modifications through over-eager tool use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.