Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SparkyFitness
v1.4.0SparkyFitness CLI for food diary, exercise tracking, biometric check-ins, and health summaries.
⭐ 0· 121·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (SparkyFitness CLI for food, exercise, check-ins) aligns with the single required binary 'sparky' and the CLI commands shown. However, the SKILL.md's install/build instructions reference a different GitHub repo and Homebrew tap (aronjanosch/sparky-cli and aronjanosch/tap) while the skill metadata/homepage points to CodeWithCJ/SparkyFitness. This repo/homepage mismatch is unexpected and should be verified.
Instruction Scope
SKILL.md instructs the agent/user to run and configure the sparky CLI and to set a server URL and API key (sparky config set-url / set-key). That behavior is consistent with a self-hosted CLI. But the instructions also use additional tools/commands without declaring them (example: 'sparky -j food diary | jq ...' references jq). The doc also instructs fetching data from online providers (Open Food Facts, Free Exercise DB) — expected for this purpose but implies network I/O and data sent to external services. The SKILL.md does not document where the CLI stores the API key or how it's protected.
Install Mechanism
There is no install spec in the registry (instruction-only), which is lowest automated risk. The included install instructions point to GitHub (aronjanosch/sparky-cli) and a Homebrew tap — both are standard hosts, but they are not the same as the declared homepage repo. The mismatch between homepage/source and the install target is an inconsistency that could indicate a stale fork/copy or an error; confirm the correct upstream and review the upstream code before installing.
Credentials
The registry declares no required environment variables or credentials. The CLI uses an API key configured via 'sparky config set-key <key>' (so the key is stored in the CLI config rather than passed via environment). This is proportionate to a client for a self-hosted server. There are no unrelated credential requests in the metadata.
Persistence & Privilege
The skill does not request 'always' privilege and is user-invocable only; autonomous invocation is allowed by default (normal). There is no install action performed by the platform. The SKILL.md suggests using 'sudo mv' when installing manually, which requires elevated local privileges — standard for installing system binaries but something to avoid unless you trust the binary/repo.
What to consider before installing
Before installing or using this skill: 1) Verify the correct upstream repository and Homebrew tap — SKILL.md references aronjanosch/sparky-cli while the metadata/homepage points to CodeWithCJ; confirm which repo you trust and inspect its releases/tags. 2) Inspect the sparky binary/source code (or build from source yourself) to see what network endpoints it contacts and where it persists the API key/config. 3) Install missing helper tools referenced in the docs (e.g., jq) only if you need them. 4) Avoid running 'sudo mv' on an untrusted binary; prefer building in a sandbox or running in a container first. 5) If you plan to use a production health server, create a limited API key and review the CLI's privacy/storage behavior (where it writes config, whether it transmits more data than expected). These inconsistencies do not prove maliciousness, but they warrant manual verification before trusting or installing the CLI.Like a lobster shell, security has layers — review code before you run it.
latestvk97ac1ch8hgebknm2r6m8fdvn183betk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏃 Clawdis
Binssparky