ClawHub

FitnessRec FitAPI

v1.0.0

16k+ foods (120+ nutrients, USDA/NUTTAB/CNF2015/MEXT/FRIDA), 3M+ branded/barcodes, 80k+ local recipes, 5k+ exercises. Filter/sort by any nutrient. 48 languages.

1· 97·0 current·0 all-time
by@emreakkoc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description advertise a food & exercise API; the SKILL.md, skill.yaml, and config.schema.json all request exactly an API key and network access and reference fitapi.fitnessrec.com endpoints — these are proportionate to the stated purpose.
Instruction Scope
Runtime instructions are limited to POST/GET calls to fitapi.fitnessrec.com and include the required Authorization header. Minor inconsistencies: SKILL.md 'requires' lists 'api_key' while config.schema.json and skill.yaml name the config field 'apiKey' (camelCase). Also some endpoints that look like simple retrievals use POST instead of GET — functional oddities but not intrinsically malicious.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing is written to disk and no third-party packages are fetched, which is the lowest-risk install profile.
Credentials
The only required secret is an API key (declared in config.schema.json). No unrelated credentials, filesystem paths, or broad secrets are requested; network permission is reasonable for an external API connector.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request elevated platform-level presence or attempt to modify other skills or system-wide configuration.
Assessment
This skill appears to be a straightforward connector to the FitAPI service. Before installing: 1) Confirm you trust fitapi.fitnessrec.com (no homepage was provided; verify the service and domain ownership). 2) Expect to provide an API key — keep it secret and use a least-privilege key if available. 3) Note the minor config mismatch: the SKILL.md calls the credential 'api_key' while config.schema.json/skill.yaml expect 'apiKey' — ensure you set the key under the name the platform requires. 4) Review the service's privacy/policy and rate limits (free tier is 10/day). 5) Because the skill may be invoked autonomously and has network permission, avoid using it with highly sensitive data unless you trust the external API. If you want higher assurance, contact the provider or test with a throwaway API key first.

Like a lobster shell, security has layers — review code before you run it.

barcodevk979ygxb80yg44e3yff5nbmd91837yfvexercisevk979ygxb80yg44e3yff5nbmd91837yfvfitapivk979ygxb80yg44e3yff5nbmd91837yfvfitnessvk979ygxb80yg44e3yff5nbmd91837yfvfitnessrecvk979ygxb80yg44e3yff5nbmd91837yfvfoodvk979ygxb80yg44e3yff5nbmd91837yfvlatestvk979ygxb80yg44e3yff5nbmd91837yfvnutritionvk979ygxb80yg44e3yff5nbmd91837yfvrecipesvk979ygxb80yg44e3yff5nbmd91837yfv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments