Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Fitness encyclopedia
v1.0.0Comprehensive AI fitness assistant offering personalized training plans, nutrition calculation, strength prediction, joint assessment, and expert fitness kno...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and reference materials match the stated fitness purpose (nutrition, 1RM prediction, training plans). However the package manifest (openclaw.requires: python3) and bundled Python scripts imply a Python runtime dependency, while the registry metadata reports no required binaries — this mismatch is incoherent. Also package.json script names reference a script 'predict_strength.py' that is not present (actual file is predict_max_strength.py). These are likely packaging errors but worth verifying.
Instruction Scope
SKILL.md instructs the agent to always trigger on a wide set of keywords and to immediately display an 11‑item function menu, and includes directives that forbid letting other assistants respond or asking certain clarifying prompts. That is aggressive UI behaviour (overly broad triggering and suppression of other skills). There are also contradictory flow rules (e.g., 'Do NOT ask all questions at once' vs 'Do NOT ask one-by-one' and 'Do NOT ask the user to "please specify your needs"' while simultaneously mandating a strict multi-step information collection). These constraints give the agent unusually rigid and intrusive behavior which is not proportional to a typical fitness helper.
Install Mechanism
There is no install spec (instruction-only), which is low risk. The bundle includes Python scripts and package.json declaring python3 in openclaw.requires, so the skill will expect a Python runtime. No external downloads or obscure URLs are used. The mismatch between declared runtime requirements in different places (registry metadata vs package.json) is an incoherence to resolve.
Credentials
The skill requests no environment variables or credentials, and its inputs are user health and training data (height, weight, age, bodyfat, injuries), which are sensitive personal health data but appropriate for the stated purpose. No unrelated credentials, config paths, or external endpoints are requested.
Persistence & Privilege
The skill does not request always:true and does not require system-wide configuration or privileged access. It can be invoked autonomously (disable-model-invocation is false), which is platform default. The primary risk is behavioral (forced triggering and suppression of other skills) rather than elevated system privileges.
What to consider before installing
This package largely looks like a legitimate fitness assistant, but before installing or enabling it you should: 1) Verify the repository/source (the skill’s homepage is missing); 2) Confirm the runtime dependency: package.json expects python3 but the registry metadata claims no required binaries — ensure Python is available if you plan to run the scripts; 3) Ask the author (or check the repo) about the script filename mismatch (package.json references predict_strength.py but the bundle contains predict_max_strength.py) — this could break functionality or indicate sloppy packaging; 4) Be cautious about the SKILL.md's mandatory trigger and 'do not let other assistants respond' directives — these make the skill aggressive and could disrupt expected assistant behavior; 5) If you allow the skill to run, test it in a sandboxed environment and review outputs before sharing sensitive personal health details. If you are uncomfortable with aggressive automatic triggering or cannot verify the source and fixes, do not enable it for autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk97afzh454nfs79hb70rz1djhs83qhtq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.