ClawHub

Fitness Planner

Security checks across malware telemetry and agentic risk

Overview

The fitness planner is mostly legitimate, but its video search and reminder script need review because they can run shell commands and send workout details to a fixed WeChat recipient.

Install only after reviewing or disabling the video-search and daily reminder paths. Do not run scripts/daily_reminder.sh until the recipient and channel are changed to your own approved settings, and avoid arbitrary exercise-name video lookup until shell execution is replaced with a safer structured API call. Expect fitness and recovery data to be stored locally in plaintext.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation instructs use of `yt-dlp --dump-json` for video search, which introduces general shell execution for a non-essential feature. Even if the example command is fixed, normalizing shell-based retrieval for user-derived queries increases the risk of command injection, unsafe process spawning, and unnecessary expansion of the agent's attack surface.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module invokes a shell command via child_process.exec to perform web search, and the command string incorporates searchKeyword derived from exerciseName/detail data. Because exec runs through a shell, attacker-controlled input can lead to command injection or unintended command execution, which is substantially more dangerous than the notifier role implies.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
sendWecomMessage claims to send Enterprise WeChat notifications but only logs the message and always returns success. This can create a false assurance that notifications were delivered, causing silent failures in monitoring or user communication workflows, and it may also leak message contents to logs unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs autonomous outbound messaging and logging behavior that is not clearly disclosed by the skill metadata, which describes planning/tracking features rather than scheduled background delivery. This creates a capability mismatch that can surprise operators, leak user-derived content off-platform, and enable persistent unsolicited communications if deployed as a cron job or background task.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script sends messages to a hard-coded Enterprise WeChat recipient, which is an unjustified external communication path for a fitness skill unless clearly authorized and configured by the user. A fixed recipient can route user-specific plans or health-related content to an unintended account and is especially risky because it bypasses runtime user confirmation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code invokes a shell command via exec using data derived from exercise names/search keywords, which gives this notifier module unnecessary command-execution capability for a fitness assistant. In this skill context, video lookup could be implemented through a direct API call; using a shell materially increases attack surface and can lead to command injection or abuse of local tool access if the keyword contains quotes or shell metacharacters.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes broad everyday terms such as 健身、运动 and similar generic phrases, making accidental invocation likely in unrelated conversations. Over-broad activation can cause the skill to capture context it should not handle, misroute user intent, and unexpectedly exercise its file/tool behaviors.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The catch-all trigger condition for any fitness/exercise-related topic lacks clear boundaries, so the skill may activate on broad health or lifestyle discussions. Because this skill can write local data and invoke external search guidance, unintended activation is more dangerous than in a read-only informational skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function automatically persists a modified workout plan via saveCurrentPlan(adjustedPlan) based on internal state, without any explicit user confirmation or a just-in-time warning at the write point. In a fitness-planning skill, silent mutation of health-related training data can cause users to follow an unintended regimen, which may lead to overtraining, undertraining, or confusion about what changed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
generateNextWeekPlan() overwrites the persisted current plan with a newly generated version using saveCurrentPlan(newPlan) without an explicit confirmation step. Because this skill manages workout programming, silent overwrite of the active plan can materially alter user behavior and obscure prior plan state, especially if the auto-adjustment logic is wrong or triggered unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill collects and persists sensitive health-related data such as sleep duration, energy level, recovery status, soreness, and training history, but the user-facing flows shown here do not provide any privacy notice, retention disclosure, or consent step before storage. In a fitness context this data can reveal health conditions and behavioral patterns, so silent persistence increases privacy and compliance risk if the data is exposed, reused, or retained longer than expected.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends exercise-related queries to an external search service through a subprocess without any visible consent, disclosure, or policy enforcement in this component. While exercise names are not highly sensitive by default, user-entered queries or notes could still reveal health or behavioral information, making undisclosed external transmission a privacy issue.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module persists multiple JSON state files under the user's home directory without any visible consent, disclosure, retention policy, or controls in this file. Even though the data is fitness-related rather than obviously secret, it includes longitudinal behavioral and wellness information that can reveal habits and health patterns if stored unexpectedly or accessed by other local processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code records sleep, energy, stress, motivation, soreness, and related recovery data, then retains it across sessions in a local state file without any visible warning or consent flow here. That is sensitive wellness data; persistent collection without transparency creates privacy risk and can expose intimate health inferences if the workstation, account, or local files are accessed by others.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The file encourages users to search third-party video platforms for exercise instruction but does not warn that external fitness content may be incorrect, non-individualized, or unsafe for users with injuries or limited experience. In a fitness-planning skill, this can contribute to harmful exercise execution, especially for technically demanding or physically risky movements such as bench press, squats, pull-ups, and overhead work.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically runs 'npm install' and a build step when 'dist' is missing, causing dependency retrieval and code execution without any disclosure or approval. In a scheduled script, this expands the trust boundary to the npm supply chain and can lead to unexpected network access or execution of malicious install scripts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code automatically persists a modified workout plan via saveCurrentPlan(adjustedPlan) after internal state thresholds are met, without any explicit user confirmation at the point of mutation. In a fitness-planning skill, silently changing user training data can cause loss of the user's intended regimen, confusion about what plan is current, and potentially unsafe training changes if the user follows an unexpectedly altered program.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
generateNextWeekPlan() overwrites the current saved plan with a newly generated one using saveCurrentPlan(newPlan) and then resets adjustment counters, with no warning that the existing plan will be replaced. This can destroy or obscure user-authored workout data and make recovery difficult, especially if the current plan contained manual edits or was still in active use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The shell command embeds exercise-derived input directly inside a command string: `mcporter call 'exa.web_search_exa(query: "${searchKeyword} bilibili", numResults: 1)'`. Because `searchKeyword` can contain attacker-controlled quotes or shell-breaking characters, this creates a realistic command-injection path and also silently sends user-derived content to an external search tool without disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The module persists training periodization state to a predictable path under the user's home directory without any disclosure, consent flow, or retention controls. While this specific state is not highly sensitive by itself, it still creates undeclared local data storage that may surprise users, leak usage patterns, or be exposed to other local processes, backups, or shared environments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code stores wellness-related feedback such as sleep, stress, energy, soreness, and motivation to disk without explicit notice or opt-in. This is more sensitive than ordinary workout metadata because it captures health-adjacent personal information that could reveal habits and condition trends if accessed by other local users, malware, logs, or backups.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal