fitness-nutrition
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands like
curlandpython3to query APIs and perform fitness calculations using local scripts. - [EXTERNAL_DOWNLOADS]: Fetches fitness and nutrition data from well-known technology services: wger (
wger.de) and the official U.S. USDA FoodData Central (api.nal.usda.gov). - [SAFE]: The automated alerts for "Remote Code Execution" are false positives; the code snippets pipe JSON response data into local, static Python scripts for parsing rather than executing code from the remote server.
- [PROMPT_INJECTION]: The skill incorporates external data from third-party APIs into the agent's context, creating a surface for indirect prompt injection if those sources were compromised.
- Ingestion points: JSON data retrieved from exercise and nutrition APIs.
- Boundary markers: Absent in the current implementation.
- Capability inventory: Shell command execution and Python script execution.
- Sanitization: Basic HTML unescaping and regex-based tag removal are applied to exercise descriptions.
Audit Metadata