Fitness Log
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted workout type, duration, note, goal, or similar value could cause the script to run commands on the user's machine under the user's account.
User-controlled command arguments are interpolated directly into Python source code. Crafted values containing quotes or Python syntax could break out of the intended string context and execute unintended local code.
type="${1:-workout}"; dur="${2:-30}"; note="${3:-}"
python3 << PYEOF
...
cal = cals.get("$type", 6) * int("$dur")
data.append({"type":"$type",...,"note":"$note",...})Do not use this script with untrusted input. The maintainer should pass values to Python via argv, environment variables, or JSON serialization, and validate numeric fields instead of embedding shell variables into Python code.
Workout history and body-weight records remain on disk until the user deletes them, and may be included in local backups or readable by other local processes depending on system permissions.
The skill persists workout and weight history in local files. This is expected for a fitness log, but the data can include sensitive personal health information.
FIT_DIR="${FIT_DIR:-$HOME/.fitness}"
DB="$FIT_DIR/workouts.json"
...
echo "$(date +%Y-%m-%d)|$w" >> "$FIT_DIR/weight.csv"Use the skill only if local storage of fitness and weight data is acceptable. Consider file permissions, backups, and manual deletion or export practices.