ClawHub

Gym

Security checks across malware telemetry and agentic risk

Overview

This is a fitness-coaching skill that stores local workout and body data in a scoped folder, with no hidden code, network use, or unrelated behavior found.

Install only if you are comfortable with the skill keeping local fitness records under ~/gym/. Avoid entering unnecessary medical details, review or delete those files if privacy matters, and consult a qualified professional for injuries, pain, medical conditions, or unfamiliar high-risk lifts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill is described broadly as general gym coaching without clear invocation boundaries, which increases the chance it will activate in loosely related conversations and influence responses unexpectedly. In an agent setting, over-broad routing can cause inappropriate persistence, advice generation, or file writes outside clear user intent, especially because this skill stores profile and workout data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs persistent storage of health-related preferences, restrictions, workout logs, and measurements in ~/gym/ without an explicit user-facing notice or consent step. Because this includes potentially sensitive fitness and injury information, users may unknowingly create lasting local records, creating privacy and surprise-retention risks if the device is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file gives specific injury adaptation, rehabilitation timing, and return-to-training guidance without any visible disclaimer to seek advice from a physician, physical therapist, or other qualified professional. Because the content targets users with back, knee, shoulder, wrist, and post-injury limitations, readers may treat it as medical advice and follow unsafe recommendations that are inappropriate for their condition, potentially worsening an injury or delaying proper care.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The file provides detailed workout prescriptions, including potentially injury-prone movements such as squats, deadlifts, bench press, overhead press, weighted pull-ups, and bodyweight rows under furniture, but it does not include user-facing safety guidance, screening, or warnings about contraindications. In a fitness coaching skill, omission of basic safety caveats can lead users to attempt exercises beyond their ability, with poor form, inappropriate loading, or in unsafe environments, increasing risk of musculoskeletal injury.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal