ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sparky

v0.3.1

SparkyFitness CLI for food diary, exercise tracking, biometric check-ins, and health summaries.

0· 48·0 current·1 all-time
by@aronjanosch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a SparkyFitness CLI and the instructions focus on using a local 'sparky' binary to talk to a self-hosted server — that is coherent. However the registry metadata lists homepage https://github.com/CodeWithCJ/SparkyFitness while the SKILL.md references aronjanosch/sparky-cli (brew tap, releases). This source/homepage mismatch is unexplained and could indicate a packaging or provenance problem.
Instruction Scope
SKILL.md contains detailed CLI usage and agentic workflows that stay within the stated purpose (searching/logging food, exercise, check-ins). A few examples reference other tools (jq, git, go, sudo, brew) for install or JSON parsing, but those binaries are not declared in the skill metadata — this is a minor mismatch but not obviously malicious. The instructions do not ask the agent to read unrelated files or environment variables.
Install Mechanism
This is an instruction-only skill (no install spec) so nothing is installed by the platform itself. The SKILL.md mentions installing prebuilt binaries or building from source using GitHub releases/Go; these are standard but require the user to verify release authenticity (checksums/signatures) because binaries will be placed on disk.
Credentials
The skill declares no required environment variables or credentials. That aligns with the README-style instructions which show the CLI storing a URL/key via 'sparky config'. Be aware that the CLI itself will ask for a server URL and API key (entered by the user) — those secrets are not requested by the skill metadata but will be used by the binary at runtime.
Persistence & Privilege
always:false and model invocation is allowed (defaults). The skill does not request elevated persistence or modify other skills. It's an agent-invocable helper that runs local CLI commands — typical for this class of skill.
What to consider before installing
This skill is mostly coherent for controlling a local 'sparky' CLI, but verify provenance before installing or running any downloaded binary. Specifically: - Confirm which GitHub project/release is authoritative — SKILL.md references aronjanosch/sparky-cli while registry metadata points at CodeWithCJ; ask the publisher or check the linked repos to ensure you download the intended project. - If you install a prebuilt binary, verify checksums/signatures from the official release page and prefer building from source if you can audit it. - The examples use tools like jq, git, go, brew and sudo; ensure those tools are present and trustworthy on your system. - The CLI will ask you to set a server URL and API key (sparky config set-url / set-key). Treat those values as sensitive: only provide them to a server you control or trust. - Because this is an instruction-only skill, the platform won’t install code itself — the primary risk is running an unfamiliar binary locally. If you’re unsure, run the binary in a sandbox or inspect/build from source before use. If you can provide the exact repository you expect this skill to reference (or the publisher confirm the correct homepage), I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a80kwfgxw4cv2q5hv1tne9h83ynx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏃 Clawdis
Binssparky

Comments