ClawHub

Strong Skill

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is coherent for Strong workout API access, but it requires Strong account credentials and includes commands that can expose tokens or create share links.

Install only if you are comfortable giving the skill access to your Strong account. Treat any login or refresh-token output as secret, and only use sharing commands when you intentionally want to create a shareable link for a workout log or template.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

If installed and used, the agent can authenticate to the user's Strong account and retrieve account, workout, exercise, and template data; token outputs should be treated like credentials.

Why it was flagged

The skill requires Strong account credentials and documents commands that return session tokens. This is expected for the stated API integration, but it is sensitive authority.

Skill content
`STRONG_USERNAME` | Strong account username or email ... `STRONG_PASSWORD` | Strong account password ... **Output:** `{ "accessToken": "eyJ...", "refreshToken": "kf3Z...", "userId": "uuid" }`
Recommendation

Only set these environment variables in a trusted environment, avoid asking the agent to display login tokens unless needed, and rotate the Strong password if credentials or tokens are exposed.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

A share command may make a workout log or template accessible through a generated link.

Why it was flagged

The skill includes a POST operation that creates a share link for a workout log. This is documented and purpose-aligned, but it can expose private workout information if run unintentionally.

Skill content
`def cmd_share_log(args): ... _request("POST", f"/api/users/{user_id}/logs/{args.log_id}/link", headers=_auth_headers(token))`
Recommendation

Use `share_log` and `share_template` only after an explicit user request and review what item ID is being shared.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

It may be harder for a user to verify the publisher or compare the installed skill against an upstream repository before providing Strong credentials.

Why it was flagged

The registry metadata does not provide a verified source repository for the skill package. The included code is visible and there is no install script, so this is a provenance note rather than a concrete unsafe behavior.

Skill content
Source: unknown
Recommendation

Review the included `scripts/strong_runner.py` and publisher details before installation, especially because the skill uses account credentials.