ClawHub

Lofy Fitness

Security checks across malware telemetry and agentic risk

Overview

This fitness tracker appears purpose-aligned and local-only, with the main consideration being that it stores sensitive fitness, meal, and health-related notes in a local JSON file.

Install only if you are comfortable with the agent keeping local records of workouts, meals, weight, goals, consistency, and possible injury or pain notes. Set a clear preference that it should only log items you explicitly ask to save, and periodically review or delete data/fitness.json if you do not want the history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill description is broad enough to activate on ordinary fitness or health conversation, not just explicit requests to log or summarize data. Because the skill is designed to read and update a persistent fitness file, over-broad triggering can cause unexpected handling and storage of sensitive health-related information without clear user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill defines persistent storage for workouts, meals, body weight, and related health data but does not warn the user that this information will be stored locally. This creates a privacy risk because users may disclose sensitive health or lifestyle information in conversation without realizing it is being retained.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to update the JSON immediately after any fitness conversation mandates automatic persistence, even when the user may only be casually discussing workouts, meals, injury, or body metrics. In this context, the risk is amplified because the stored content concerns health and behavioral data, which is more sensitive than ordinary preference data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal