Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
fitconverter
v1.0.2运动健康转换工具。华为、Zepp、小米、vivo、三星、Keep、悦跑圈、RQrun、动动、行者运动记录导出后,可通过运动健康转换工具转换成fit、tcx、gpx、kml格式文件同步导入高驰、佳明、RQrun、Strava等主流运动平。 运动记录转换工具、运动记忆、运动数据转换、fitconverter、华为运动...
⭐ 0· 64·0 current·0 all-time
by@daozhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the instructions: the skill calls an external FitConverter MCP/HTTP API to convert exercise files. It legitimately requires the mcporter CLI and an API key (FITCONVERTER_MCP_KEY). Minor inconsistency: the SKILL.md instructs editing ~/.mcporter/mcporter.json (a config path) but the registry metadata lists no required config paths.
Instruction Scope
Runtime instructions explicitly ask the agent to collect sensitive secrets from the user (the FitConverter API Key via chat) and accept source-account/password for some sync types. It also instructs uploading potentially sensitive zip files to api.fitconverter.com and sending payment QR images via a messaging tool. These actions are within the declared conversion purpose, but asking users to paste secrets into chat and instructing the agent to configure mcporter automatically are privacy-sensitive and grant the agent authority to handle secrets.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. It does require the external binary mcporter to be present, which aligns with the documented mcporter calls.
Credentials
The primary credential FITCONVERTER_MCP_KEY is declared and matches the API usage. However, the skill's instructions ask for user account/password (for certain sync modes) and to edit ~/.mcporter/mcporter.json — those are not declared as required config paths or additional environment variables. This is plausible for the service but is worth highlighting because credentials and user data will be transmitted to an external API.
Persistence & Privilege
always:false and agent invocation enabled (default) — expected. The instructions imply writing the API key into the user's mcporter config (~/.mcporter/mcporter.json), which grants persistent local configuration, but the skill metadata did not declare that config path; the skill does not request system-wide privileges or alter other skills.
What to consider before installing
This skill appears to do what it says (convert exercise data) but it asks you to share sensitive things: your FitConverter API Key and, for some syncs, your platform account/password, and to upload ZIP files that may contain personal data. Consider these before proceeding: (1) Prefer manually configuring mcporter rather than pasting API keys into chat; (2) If you must provide an API key in chat, give a constrained key you can revoke; (3) Avoid sharing platform passwords via the agent — use manual sync methods if possible; (4) Verify you trust https://www.fitconverter.com and the API endpoints before uploading files; (5) Note the metadata omission: the skill directs editing ~/.mcporter/mcporter.json but the skill did not declare that config path. If you need higher assurance, ask the publisher for source code or a documented privacy policy and a justification for any credentials requested.Like a lobster shell, security has layers — review code before you run it.
latestvk978eaj1j3xf4514rs06ef1qj984n6qj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏃 Clawdis
Binsmcporter
Primary envFITCONVERTER_MCP_KEY