ClawHub

Body

Security checks across malware telemetry and agentic risk

Overview

This fitness and nutrition skill is not clearly malicious, but it asks for sensitive fitness-account access and persistent file-writing authority with weak setup safeguards.

Install only if you are comfortable giving this skill access to local health/nutrition vault files and a Hevy API key. Review or replace the installer, verify the Hevy CLI binary yourself, restrict ~/.hevycli/config.yaml permissions, and require confirmation before the agent writes meal logs, workout logs, RPG stats, calendar entries, or any Hevy account changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill mixes nutrition functionality with RPG/XP progression updates and writes to character and calendar files unrelated to the user’s immediate meal-management request. This expands the skill’s authority and creates an unnecessary side-effect surface, increasing the chance of unintended or unauthorized data modification whenever the skill is invoked.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill description is very broad and can match common mentions of food, exercise, or health, increasing the chance of unintended invocation. Misrouting can expose users to inappropriate downstream behavior, especially if sub-skills provide tailored health, nutrition, or training advice without sufficient context, consent, or safety checks.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad enough to activate on ordinary food-related conversation, which can cause the skill to run in situations where the user did not intend meal tracking or file modification. In this skill, overbroad activation is more dangerous because the instructions include automatic reads and writes to persistent vault files once triggered.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to automatically append, create, and update multiple vault files without a user-facing warning or confirmation. Silent persistence of inferred meal data, preferences, recipes, and related records can lead to privacy issues, unwanted data retention, and integrity problems if the agent misinterprets the user’s message.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is very broad and includes common natural-language phrases about workouts, sleep, recovery, and weight, which can cause the skill to activate for routine conversation that may not actually require this tool. Over-broad routing increases the chance of unnecessary file access, writes to vault data, or execution of fitness-oriented workflows when the user only intended casual discussion or a different body-related sub-skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow tells users to configure an API key without giving an upfront warning that the credential may be stored locally and grants read/write access to all Hevy data. In a skill that handles health and workout records, this increases the chance of accidental credential exposure or unsafe setup by users and agents, especially if they follow the quick start mechanically.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Documenting `hevycli config set api-key <key>` without any guidance on secret handling encourages insecure credential practices, such as placing secrets directly on the command line where they may be exposed through shell history, process listings, logs, or transcripts. In an agent context, this is more dangerous because tools and conversations are often logged automatically, increasing the chance of credential leakage.

Missing User Warnings

Low
Confidence
84% confidence
Finding
Referencing `HEVYCLI_API_KEY` as an environment variable without security guidance can lead users or agents to store credentials in broadly inherited environments, CI logs, shell startup files, or debugging output. While environment variables are common, they are not automatically safe, and the lack of guidance is risky in an agent skill that may operate in instrumented or shared execution environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes a sensitive API key in plaintext to a persistent file under the user's home directory without warning the user or setting restrictive permissions. If the file is readable by other local users, backed up to insecure locations, or exposed through logs or dotfile syncing, the credential can be stolen and used to access the user's Hevy account data or API actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script fetches release metadata and then downloads and extracts a remote archive directly from a network-derived URL without verifying a checksum, signature, pinned version, or trusted digest. If the upstream GitHub account, release asset, API response path, or network trust boundary is compromised, the installer can deliver a malicious binary that is then prepared for installation on the user's system.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal