ClawHub

intervals.icu CLI

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Intervals.icu CLI helper that can read and change fitness account data, but its sensitive behavior is purpose-aligned and includes user-directed write limits.

Install only if you trust the intervals CLI release source and are comfortable giving the agent access to your Intervals.icu account. Confirm the intended account with auth status, review generated dates and JSON before any create/upsert/wellness command, and prefer read or verification commands around mutations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill enables implicit invocation without any visible activation constraints, meaning an agent may call the Intervals CLI automatically based only on loose relevance matching. Because this CLI can inspect account activity and perform write operations such as creating workout events, library items, or wellness data, unintended invocation could expose private fitness data or cause unauthorized changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This documentation teaches direct write operations that modify persistent events, workouts, and wellness records, but it does not prominently warn that these commands change user data or advise confirmation before execution. In an agent skill context, that omission is risky because an autonomous or semi-autonomous agent may treat the examples as routine actions and perform unintended writes, causing data corruption, duplication, or privacy-impacting changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal