wger OpenClaw Fitness Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent wger fitness API helper, but users should treat its token and self-hosting examples carefully.

Install this only if you intend to connect an agent to your wger account. Keep WGER_TOKEN private, review the exact payload before logging workouts or nutrition or updating routines, and replace the sample Docker password with a strong secret if self-hosting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The example compose file hardcodes weak placeholder database credentials (`pass`) and publishes the application on a host port while presenting direct access URLs, but it does not clearly warn users not to reuse the sample secrets or restrict exposure. In self-hosting documentation, readers often copy examples verbatim, so this can lead to deployments with trivially guessable credentials and unnecessarily exposed services or APIs.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal