Skillv6.0.3

ClawScan security

Fitness Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 27, 2026, 4:06 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be what it says — a local fitness/workout guidance and calculator that only runs a bundled bash script and does not request credentials or install external code — but there are small inconsistencies you should verify before installing.
Guidance: This skill is largely self-contained and coherent with its stated purpose, but before installing you should: 1) inspect the full scripts/script.sh (the provided excerpt was truncated) to ensure it makes no network calls, remote uploads, or shell execs beyond local calculation/printing; 2) confirm whether python3 is actually invoked (SKILL.md mentions python3) and whether the registry should declare that dependency; 3) note the minor version mismatch (SKILL.md v6.0.3 vs script VERSION 6.0.2) — ask the author for clarification if you rely on a specific release; and 4) run the script in a sandbox or with limited permissions the first time to verify behavior. If you are not comfortable auditing the full script, avoid granting broad agent permissions or automatic invocation until a full review is done.

Purpose & Capability: okName/description (fitness plans, calculators, exercise guidance) align with the included SKILL.md and the bundled scripts: the skill invokes a local bash script that prints guidance and implements calculators. Nothing in the manifest asks for unrelated cloud credentials or system access.
Instruction Scope: noteSKILL.md instructs the agent to call bash scripts/script.sh for standards, calculate, and plan. The script contents shown are local help text and guidance functions; this stays within the stated fitness/training purpose. However SKILL.md lists runtime requirements (bash 4+ and python3) while the registry metadata lists no required binaries — confirm whether the script actually invokes python or accesses files not shown in the truncated portion.
Install Mechanism: okNo install spec (instruction-only with a bundled script). No downloads or external package installs are declared, so there is low install risk. The only code delivered is scripts/script.sh alongside SKILL.md.
Credentials: okThe skill declares no required environment variables, secrets, or config paths. That matches the fitness guidance use-case and the visible script content, which prints static guidance and presumably performs local calculations.
Persistence & Privilege: okalways is false and there is no indication the skill will persist or modify other skills or system-wide settings. It does not request elevated or permanent privileges.