fit-device-id-modifier
Security checks across malware telemetry and agentic risk
Overview
The skill appears to modify local FIT files as advertised, with minor cautions about bulk file writes and an unpinned Python dependency.
This looks safe for its stated purpose if you trust the dependency and run it only on the FIT files you intend to convert. Keep the originals, check the generated _GM.fit files, and avoid running the bulk mode from a broad or unrelated directory.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the command from an unintended folder could create many modified FIT copies.
When run without a target, the script bulk-selects FIT files in subdirectories and writes modified output files. This matches the documented batch-conversion purpose, but it can affect many local files if run from the wrong directory.
else: files = glob.glob("./*/*.fit") ... with open(output_file, 'wb') as f: f.write(data)Run it only on a specific file or intended directory, and review the _GM.fit outputs before uploading or sharing them.
Installing an unpinned package may pull a newer or different dependency version than expected.
The dependency is installed via an unpinned pip command rather than a version-pinned install spec. This is common for a simple Python utility, but users should notice the external package dependency.
`fitparse` 库 (`pip install fitparse`)
Install dependencies from a trusted Python environment and consider pinning a known-good fitparse version.