ClawHub

Fitness Log

SuspiciousAudited by ClawScan on May 10, 2026.

Overview

This is a local fitness tracker, but its script builds Python code from command inputs, so crafted workout or weight values could make it run unintended local commands.

Review this carefully before installing. The local-only design and lack of network access are positive, but the script should be fixed to avoid embedding user inputs into Python code. Avoid logging values copied from untrusted sources until that is corrected.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence
ASI05: Unexpected Code Execution
What this means

A maliciously crafted workout type, duration, note, goal, or similar value could cause the script to run commands on the user's machine under the user's account.

Why it was flagged

User-controlled command arguments are interpolated directly into Python source code. Crafted values containing quotes or Python syntax could break out of the intended string context and execute unintended local code.

Skill content
type="${1:-workout}"; dur="${2:-30}"; note="${3:-}"
python3 << PYEOF
...
cal = cals.get("$type", 6) * int("$dur")
data.append({"type":"$type",...,"note":"$note",...})
Recommendation

Do not use this script with untrusted input. The maintainer should pass values to Python via argv, environment variables, or JSON serialization, and validate numeric fields instead of embedding shell variables into Python code.

NoteHigh Confidence
ASI06: Memory and Context Poisoning
What this means

Workout history and body-weight records remain on disk until the user deletes them, and may be included in local backups or readable by other local processes depending on system permissions.

Why it was flagged

The skill persists workout and weight history in local files. This is expected for a fitness log, but the data can include sensitive personal health information.

Skill content
FIT_DIR="${FIT_DIR:-$HOME/.fitness}"
DB="$FIT_DIR/workouts.json"
...
echo "$(date +%Y-%m-%d)|$w" >> "$FIT_DIR/weight.csv"
Recommendation

Use the skill only if local storage of fitness and weight data is acceptable. Consider file permissions, backups, and manual deletion or export practices.