Back to skill
Skillv1.0.0
ClawScan security
Concept2-logbook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 5:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions consistently implement a Concept2 Logbook data fetch-and-analysis tool that only needs the user's Concept2 API token and does not request unrelated credentials or perform unexpected installs.
- Guidance
- This skill appears to do exactly what it says: fetch and analyze Concept2 Logbook data. Before you install/use it, be aware that you must supply your Concept2 API token (via --token or equivalent). Treat that token as a secret: don't paste it into shared logs or public places. If you plan to run the script on a machine you don't control, consider creating a limited Concept2 token or running it locally. If you need higher assurance, review the full fetch_workouts.py file yourself (it only calls log.concept2.com and performs local calculations) and check any output before sharing it with third parties.
Review Dimensions
- Purpose & Capability
- okName/description match the included code and docs: the script calls Concept2's API, computes HR zones, trends, and workout metrics. The SKILL.md and references describe the same endpoints used by the script. The skill does not request unrelated cloud credentials or system-level access.
- Instruction Scope
- okRuntime instructions are limited to calling the Concept2 API with an access token (passed via --token) and formatting/printing or exporting the returned workout data. The SKILL.md does not instruct reading arbitrary local files, system secrets, or sending data to third parties outside the Concept2 API.
- Install Mechanism
- okNo install spec is provided (instruction-only with a bundled script). This minimizes disk-write/install risk. The Python script uses standard libraries and optionally requests; no external downloads or archive extraction are performed by an installer.
- Credentials
- okNo environment variables or credentials are declared in the registry metadata. The SKILL.md and script require a Concept2 API token supplied at runtime (CLI argument), which is appropriate and proportionate for the described functionality. There are no other secret-like env variables requested.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request persistent system modifications, and does not modify other skills' configs. It runs as an on-demand script and has normal autonomous-invocation defaults.