ClawHub

FitClaw Public Core

Security checks across malware telemetry and agentic risk

Overview

This is a text-only fitness coaching skill with no code or credentials, but it may remember personal fitness details if the user's agent has memory enabled.

Reasonable to install if you want a fitness-coaching workflow. Before use, check your agent's memory settings and avoid sharing body metrics, nutrition habits, injuries, or progress details unless you are comfortable with them being retained; clear or disable memory if you want session-only coaching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly recommends storing hydration target, reminder preference, and adherence trend in user memory without mentioning consent, retention limits, or visibility to the user. In a coaching system, this can lead to silent collection and persistence of behavioral/health-adjacent data, creating privacy risk and possible misuse if the memory layer is broader than the skill assumes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The module explicitly recommends storing user goal direction, nutrition structure, recurring food behavior problems, and adherence trends if runtime memory exists, but it provides no guidance on user notice, consent, retention limits, access controls, or data minimization. Because this is health- and behavior-related personal data in a coaching context, an implementing agent could persist sensitive information by default in ways users do not expect, creating privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the runtime to store preferred name, baseline body data, goal direction, and workflow stage, but it does not require notice, consent, retention limits, or access controls. Because the module is for fitness coaching, the collected data includes personal and body-profile information that can be sensitive, so silent persistence increases privacy and compliance risk if the platform stores or reuses it improperly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal