ClawHub

Section 11: Endurance Training Coach (Intervals.icu)

Security checks across malware telemetry and agentic risk

Overview

This coaching skill appears legitimate, but it can fetch mutable remote instructions and, with configured credentials, change training calendars and thresholds while its privacy text understates that scope.

Install only if you trust CrankAddict/section-11 and are comfortable with a coach that reads sensitive training data and may use Intervals.icu credentials. Prefer local files or a private repo, pin or vendor the protocol files if possible, use least-privilege tokens, keep heartbeat automation opt-in, and require preview plus explicit confirmation before any calendar, threshold, or annotation write.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented primarily as a coaching and analysis protocol, but it also exposes write-capable operations that can modify an athlete's external training systems, including workout calendars, thresholds, and activity annotations. That mismatch increases the chance that a user or host platform enables the skill with read-oriented expectations while overlooking the operational risk of downstream state changes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill claims fetched content comes only from user-configured sources, but it also includes hardcoded fallback fetches from public GitHub raw URLs. This creates a trust-boundary mismatch and introduces supply-chain risk, because the agent may ingest remote instructions or templates from a public source even when the user did not explicitly configure that source.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The privacy/security section states that writes are limited to DOSSIER.md and HEARTBEAT.md during first-use setup, but the skill later documents additional write operations to calendars, thresholds, and annotations. This inconsistency can mislead reviewers and users about the real modification scope, increasing the chance of unintended data changes in connected training platforms.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal