iwatch-swim-tracker

Security checks across malware telemetry and agentic risk

Overview

This swim-tracking skill is aligned with its purpose, but it automatically stores and can overwrite health-related workout records with under-scoped triggering and limited user control.

Review this before installing if you track private fitness data. It writes swim history locally, includes preloaded workout records, and can overwrite records from the same day. Prefer using it only after clearing bundled sample data and ensuring saves or overwrites require your explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Using the broad keyword '游泳' plus any image as a trigger can cause the skill to activate on unrelated conversations or photos. In this context, that can lead to unintended OCR, health-data inference, and storage attempts on images the user did not intend to submit for structured tracking.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states it will save training records and overwrite same-day data, but it does not describe a user notice, consent flow, or overwrite confirmation. For health-related workout data, silent persistence and replacement can violate user expectations, cause data loss, and create privacy/compliance concerns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal