Fitbot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: fitbot Version: 0.1.1 The skill is classified as suspicious due to an instruction in `references/onboarding.md` that directs the AI agent to "set up via cron or heartbeat" for reminders. While the stated purpose of setting reminders is benign, the use of `cron` implies the ability to schedule arbitrary commands on the host system. This capability introduces a significant security risk, as it could be exploited for persistence, arbitrary command execution, or prompt injection leading to malicious scheduled tasks, even if the skill's explicit intent is not malicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your training profile, pain/injury notes, preferences, and workout logs may remain in the workspace and influence future advice.
The skill stores persistent personal fitness and health-related context, then reuses it as the source of truth for future coaching.
`FITNESS.md` — who the user is and everything about their training ... `fitness/workouts/YYYY-MM-DD.md` — daily workout logs
Keep the workspace private, review `FITNESS.md` and workout logs periodically, and remove or correct sensitive or outdated health information.
If enabled, the skill or environment may create recurring check-ins or reminders beyond a single chat session.
The skill supports optional recurring reminders, which is a disclosed persistence mechanism for fitness accountability.
**Reminders**: if they want them, capture schedule/timezone/preferences and set up via cron or heartbeat
Only enable reminders deliberately, confirm the schedule/timezone, and make sure you know how to pause or remove any cron or heartbeat setup.