ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI健身教练

v1.1.0

Personalized fitness planning and workout accountability coach for beginners and intermediates. Use when users want a training plan, workout logging, progres...

1· 68·0 current·0 all-time
by@dexterqiu-collab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (training_planner, memory_manager, feishu_integration, fitness_coach) implements a fitness coach consistent with the skill description. Requesting local storage and optional Feishu sync is plausible for this purpose. However, openclaw.yaml and config.yaml reference an LLM API key and Feishu credentials which are not declared in the registry metadata (no required env vars). That mismatch is noteworthy but could be explained by the repo providing an optional runtime implementation.
!
Instruction Scope
SKILL.md emphasizes a markdown-first skill and does not instruct reading or writing arbitrary files, but the included Python code will persist user profiles, conversation memories, and logs to the user's home directory (~/.claude/skills/fitness-coach/data) and can call external APIs. If the host executes the Python entrypoint (openclaw.yaml points to fitness_coach.py), the skill will create files and may transmit data to Feishu/LLM endpoints when configured. SKILL.md's claim that Python files are 'reference' but untrusted by default conflicts with the presence of an executable entry in openclaw.yaml.
Install Mechanism
There is no install spec in the registry (skill is instruction-only), which is low-risk in isolation. But the repo contains shell scripts (openclaw.sh, publish-to-github.sh) and an openclaw.yaml that declares a Python main — if the OpenClaw host honors that file and executes Python code, the code will be written to disk and run. No remote download URLs or third-party installers were found.
!
Credentials
Registry metadata lists no required environment variables or credentials, yet config.yaml and openclaw.yaml reference a required LLM api_key and optional Feishu app_id/app_secret. The code will skip Feishu calls if credentials are missing, but openclaw.yaml marks api_key as a required config item. This inconsistency could cause a host to prompt for secrets the SKILL.md did not advertise — ask the publisher which credentials are actually required and why.
Persistence & Privilege
The skill does persist user data locally (JSON files under ~/.claude/... by default) and stores recent conversation history. always:false (not force-included) and disable-model-invocation:false are fine. Persistence is functionally reasonable for a memory-enabled coach, but you should be aware that conversation logs and profile data will be written to disk unless you change the data_dir or disable memory.
What to consider before installing
This package appears to be a legitimate fitness coach, but the repository contains runnable Python code and configuration that differ from the published 'instruction-only' claim. Before installing: 1) Confirm whether your OpenClaw host will execute the Python entrypoint (openclaw.yaml) or treat the package purely as a markdown skill — if the host runs the Python, the code will create files in your home directory and may call external APIs. 2) Do not provide LLM API keys or Feishu app_id/app_secret unless you trust the publisher; Feishu sync and LLM calls are optional but the repo/config reference them and openclaw.yaml marks an api_key as required. 3) If you install, consider setting feishu.enabled=false and review/override the data_dir in config.yaml to a location you control (or disable persistence) to avoid unexpected local storage. 4) Inspect openclaw.yaml and fitness_coach.py yourself (or ask the maintainer) to confirm which credentials/configs the host will actually request. If you are uncertain, treat this as untrusted code and avoid supplying secrets or allowing the host to run the Python files.

Like a lobster shell, security has layers — review code before you run it.

coachvk970n05gtqyf01632ak0vhg8b983g7r2exercisevk970n05gtqyf01632ak0vhg8b983g7r2fitnessvk970n05gtqyf01632ak0vhg8b983g7r2healthvk970n05gtqyf01632ak0vhg8b983g7r2latestvk970n05gtqyf01632ak0vhg8b983g7r2trainingvk970n05gtqyf01632ak0vhg8b983g7r2workoutvk970n05gtqyf01632ak0vhg8b983g7r2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏋️ Clawdis
OSLinux · macOS · Windows

Comments