wger Fitness Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward wger API helper, but it can use a wger token, change fitness records, and optionally persist health data through automation, so review those settings before use.
Install only if you are comfortable giving the skill a wger API token and allowing it to read or update your workout and nutrition records. Confirm any create/update command before it runs, secure the token, and if you self-host wger, update the scripts so they use your self-hosted API URL instead of the default wger.de endpoint.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or wrong ID could alter workout or nutrition data in the user's wger account.
The skill documents raw API calls that can create or update records in the user's wger account. This matches the stated purpose, but it is still account-mutating behavior.
Create log: exec curl -X POST ... https://wger.de/api/v2/workoutlog/ ... Update routine: exec curl -X PATCH ... https://wger.de/api/v2/workout/[ID]/
Only run create/update commands after confirming the target workout, exercise, date, and values; prefer explicit user approval for POST/PATCH actions.
Anyone or any process with access to the token may be able to read or modify the user's wger data according to that token's permissions.
The skill needs a wger API token, which grants delegated access to the user's fitness account. This is expected for the integration, but the registry metadata does not declare a primary credential or required env var.
Auth: Token from wger dashboard (User > API). Set env WGER_TOKEN=your_key or pass in commands.
Store WGER_TOKEN securely, avoid pasting it into shared logs or prompts, rotate it if exposed, and adjust the API base before using bundled scripts with a self-hosted wger instance.
Workout, weight, nutrition, or progress information may remain in local notes or agent context beyond a single interaction.
The skill proposes persisting fitness data into a local health file and using subagents for analysis. This is purpose-aligned, but it can store sensitive health information for later reuse.
For automation: Crons/subagents (e.g., daily pull to health.md).
Choose the storage location intentionally, review retention and sharing behavior, and avoid syncing health.md to places where private health data should not go.
If copied directly for a real deployment, the self-hosted service could use a weak database password and unpinned container version.
The optional self-hosting example uses a floating Docker image tag and a weak example database password. This is user-directed setup documentation, not automatic installation, but users should not deploy it unchanged.
image: wger/server:latest ... POSTGRES_PASSWORD: pass
Pin container images to trusted versions, replace example passwords with strong secrets, and restrict network exposure as the reference suggests.