ClawHub
Back to skill
v0.1.0

Fitness Finder Locations

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:46 AM.

Analysis

This fitness-search skill is coherent and purpose-aligned, but it requires a Camino API key and sends search/location queries to Camino’s external API.

GuidanceThis skill appears safe for its stated purpose. Before installing, be comfortable storing a Camino API key in your Claude settings and sending fitness-location searches to Camino. Prefer installing only this specific skill unless you need the larger Camino suite.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Install all available skills ... npx skills add https://github.com/barneyjm/camino-skills

The documentation recommends a user-run install from a GitHub repository and optionally installing the whole Camino suite. This is disclosed, but it broadens the installed skill surface beyond the single reviewed skill.

User impactInstalling the full suite may add more capabilities than needed for fitness searches.
RecommendationInstall only the specific fitness-finder skill unless you want the broader Camino suite, and review any additional skills before enabling them.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/fitness-finder.sh
-H "X-API-Key: $CAMINO_API_KEY"

The script sends the configured Camino API key with each request. This is expected for the Camino integration, but it uses a credential and may consume the user's API quota.

User impactThe skill can use the Camino account/API key configured in the environment when performing searches.
RecommendationUse a Camino key you are comfortable using with this skill, monitor usage, and avoid sharing the key in prompts or logs.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/fitness-finder.sh
"https://api.getcamino.ai/query?${QUERY_STRING}"

The script sends the user's search query and optional latitude/longitude parameters to Camino's external API. This is disclosed and central to the location-search purpose.

User impactFitness searches, places, and coordinates may be visible to Camino's API service.
RecommendationAvoid using sensitive personal locations if you do not want them sent to Camino; review Camino's privacy and retention practices if this matters to you.