Back to skill
Skillv2.0.1
ClawScan security
Fitlog · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:43 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- FitLog's declared purpose (local CLI journaling/tracking) matches its files and runtime behavior; it stores logs under ~/.local/share/fitlog and does not request external credentials or network access.
- Guidance
- This skill appears internally consistent and low-risk: it keeps all data locally under ~/.local/share/fitlog and does not contact external servers or ask for credentials. Before installing, note two practical points: (1) SKILL.md assumes a 'fitlog' CLI but provides no install step — you'll need to place scripts/script.sh on your PATH (or run it explicitly) and ensure it's executable; (2) inspect the script (already included) and decide if you want it to create files under ~/.local/share/fitlog. Also consider filesystem backups and permissions for that data directory. If you want stronger assurance, run the script in a non-privileged account or sandbox first; if the repository later includes network calls, requests for API keys, or reads unrelated system files, reassess (that would raise suspicion).
Review Dimensions
- Purpose & Capability
- okThe name/description (workout/task logging and streaks) aligns with the included CLI implementation: commands operate on per-command .log files under ~/.local/share/fitlog. No unrelated permissions, services, or credentials are requested.
- Instruction Scope
- noteSKILL.md documents a CLI named 'fitlog' and describes expected behavior that matches the provided scripts/script.sh. However, SKILL.md does not include an install step to expose the 'fitlog' command (e.g., placing the script on PATH or creating a wrapper). The runtime instructions assume the CLI is available; this mismatch is likely an oversight but not a security risk by itself.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low risk. A script file is included (scripts/script.sh) but no install steps are provided—users/agents must ensure the script is made executable and available. No downloads or external installers are used.
- Credentials
- okThe skill requests no environment variables, no credentials, and only uses the user's HOME to write local files in ~/.local/share/fitlog. This is proportional to a local journaling tool.
- Persistence & Privilege
- okalways is false and the skill does not request elevated/system-wide modifications. It only writes to its own data directory in the user's home. Autonomous invocation (default) is enabled but not combined with any broad privileges.