Skillv1.3.0

ClawScan security

wger Fitness Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 3:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions generally match a wger fitness integration, but there are packaging and metadata inconsistencies (undeclared required token and references to missing files) that make the bundle suspicious until clarified.
Guidance: This package appears to be a straightforward wger API helper, but two issues need resolution before you trust it: 1) Metadata vs runtime mismatch: The skill package/registry metadata does not declare WGER_TOKEN, yet both SKILL.md and the included scripts exit if WGER_TOKEN is missing. Treat WGER_TOKEN as a required secret for runtime. Only provide it if you trust the skill and run it in a controlled environment. 2) Missing files referenced in the instructions: SKILL.md mentions scripts and assets (generate_report.py, set_goal.py, edit_log.py, references/nutrition.md, assets/progress_template.html) that are not present. Ask the publisher for the full bundle or updated documentation before relying on automation. Missing files could mean the skill is incomplete or the instructions were copied from another project. Practical steps: - Inspect the two included scripts locally (they are short and only call the wger API) and run them in an isolated environment first. - Only set WGER_TOKEN as an env var in a restricted environment or use a short-lived token if wger supports it. - Request the missing files or a corrected package from the publisher; decline installing until the manifest, docs, and runtime requirements match. If the publisher provides a corrected package where required env vars and referenced files are present and accurate, the skill would look benign. As-is, the inconsistencies warrant caution.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, and included Python scripts (create_log.py, view_logs.py) align with a wger API client. However, the SKILL.md and scripts require an environment token (WGER_TOKEN) and reference other scripts/resources (generate_report.py, set_goal.py, edit_log.py, references/nutrition.md, assets/progress_template.html) that are not present in the manifest. Also the registry metadata claims 'Required env vars: none' despite the code requiring WGER_TOKEN. These are packaging/metadata inconsistencies.
Instruction Scope: concernInstructions direct the agent to run curl/exec and the provided Python scripts to call the wger API — this is expected. But the SKILL.md instructs use of scripts/files that are missing from the package and suggests integration with OpenClaw crons/subagents. The instructions do not ask to read unrelated system files or other credentials, but they do require an API token (WGER_TOKEN) which the registry did not declare.
Install Mechanism: okNo install spec (instruction-only plus a couple of simple scripts). Nothing is downloaded or extracted at install time, which minimizes install-time risk.
Credentials: concernThe only runtime secret required by the code is WGER_TOKEN, which is appropriate for a wger API client. However, the registry metadata lists no required env vars while SKILL.md and the scripts clearly require WGER_TOKEN. This mismatch is a red flag (could be oversight, or could hide credential requirements). No other unrelated credentials are requested.
Persistence & Privilege: okalways is false and model invocation is not disabled; the skill does not attempt to modify other skills or system configs. It does reference cron/subagent integration (normal for automation) but does not demand permanent elevated privileges.