wger OpenClaw Fitness Skill

This skill appears to be an API client for wger, but there are several inconsistencies you should address before installing or providing any credentials: - Do not supply your WGER_TOKEN until you're comfortable: both Python scripts and the SKILL.md require WGER_TOKEN, but the registry metadata did not declare it. That mismatch could be an oversight, but confirm the skill owner intentionally requires the token. - Verify missing/mentioned files: SKILL.md references generate_report.py, set_goal.py, references/nutrition.md, and an assets HTML template that are not in the package. Ask the publisher for the complete source or an updated manifest; missing files could mean incomplete/broken behavior or omitted functionality. - Confirm dependencies/environment: The bundled scripts use the 'requests' Python library but the skill declares no dependencies. Ensure your runtime has the required Python packages before running, or run the scripts in an isolated environment. - Review what will be executed: SKILL.md instructs running curl and Python scripts. Inspect every script you execute locally (create_log.py, view_logs.py) and any additional scripts the author provides to ensure they only call the wger API and do not transmit data to other endpoints. - Protect the token: Treat WGER_TOKEN as a secret. Prefer scoping the token to least privilege, use a throwaway/test account for initial testing, and avoid pasting it into logs or public channels. Consider self-hosting wger if you need stronger privacy (selfhost.md includes an example Docker compose with weak defaults — change passwords and avoid exposing ports publicly). If the publisher cannot explain or fix the missing declarations and files, consider the skill suspicious and avoid providing real credentials or enabling automated invocation until the issues are resolved.