ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Runstr analytics

v1.0.1

Advanced RUNSTR fitness analytics with trend analysis, performance insights, training recommendations, and correlation tracking. Analyzes workout history, ha...

0· 181·0 current·0 all-time
byKatla@katla50
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (RUNSTR analytics) align with the code and dependencies: it fetches encrypted RUNSTR backups from Nostr relays, decrypts them using a Nostr private key, analyzes workouts, and caches results. The required binary 'nak' and Python packages (pandas/numpy/scipy/requests) are appropriate for this purpose. However, registry metadata at the top listed no required environment variables while _meta.json and SKILL.md both declare RUNSTR_NSEC as required — an inconsistency between declared registry fields and the bundled files.
!
Instruction Scope
SKILL.md and scripts instruct the agent/user to provide the Nostr private key (nsec1...) and even suggests 'Tell your bot: "Here's my RUNSTR nsec: nsec1..."' — i.e., paste the secret into chat, which is risky. The SKILL.md repeatedly claims the key is passed via stdin to avoid process-list leaks, but several code paths contradict this: analyze.py and analyze_light.py call nak with the nsec as a CLI argument, and daily_update.sh passes --nsec "$NSEC" to the Python script. Those will expose the secret to process listings and any process collectors on the system. The skill reads/writes only local cache (~/.cache/runstr-analytics) and communicates only with listed Nostr relays; there are no hidden external endpoints, but the mixed secret-handling behavior is problematic.
Install Mechanism
The install spec uses 'go' to install github.com/fiatjaf/nak and pip to install Python analytics libraries. Installing nak from that Go package is consistent with needing the 'nak' CLI; pip packages are expected for pandas/numpy/scipy/requests. These are standard registries; no downloads from untrusted personal servers or URL shorteners are used.
!
Credentials
The only secret the skill needs is a Nostr private key (RUNSTR_NSEC), which is proportionate to decrypting the user's RUNSTR backup. However: (1) the registry summary indicated no required env vars but the skill files and _meta.json require RUNSTR_NSEC — an incoherence. (2) The SKILL.md explicitly encourages pasting the private key into bot conversation (high-risk). (3) The recommended automation (cron) expects RUNSTR_NSEC in the environment and the provided daily_update.sh passes it as a command-line argument when invoking Python, exposing it to process lists. These behaviors increase the likelihood of accidental leakage of the private key.
Persistence & Privilege
always:false (not forced) and autonomous invocation is allowed (default). The skill optionally sets up a cron job and writes a local cache under ~/.cache/runstr-analytics; both are within the expected scope for this functionality. The cron setup is interactive and opt-in (setup_cron.sh prompts for confirmation). There is no evidence the skill modifies other skills or system-wide agent settings. Consider that if you add the cron job you are granting the skill ongoing scheduled execution on your machine.
What to consider before installing
This skill does what it says (fetch and analyze RUNSTR backups), but there are important inconsistencies and secret-handling risks you should address before installing: - Do not paste your Nostr private key (nsec1...) into a chat message. The SKILL.md suggests doing this, which risks the key being stored or transmitted by the agent. Prefer supplying secrets only via secure 1) environment variables, 2) stdin, or 3) temporary files with strict permissions — but see next points. - The README claims the key is passed via stdin to avoid exposure, but multiple scripts (analyze.py, analyze_light.py, daily_update.sh) pass the nsec on the command line or forward it as a --nsec argument, which exposes it in process listings (ps) and to other system monitoring. If you plan to use this, inspect and modify the code so all calls use stdin (the extended script already does this) or other safe mechanisms. - The registry metadata at the top is inconsistent: it lists no required env vars, but _meta.json and SKILL.md require RUNSTR_NSEC. Treat RUNSTR_NSEC as required and verify how you will store/enter it. Avoid putting secrets in crontab or plain-text startup files. Cron jobs typically do not inherit your interactive environment; storing the key in files that cron reads will persist the secret — consider using a secure secret manager or run the job from a user-level systemd service with restricted environment instead. - The install steps use a Go package to install 'nak' (github.com/fiatjaf/nak) and pip for analytics libs — confirm you trust those sources. 'nak' is necessary to read/decrypt Nostr data, but installing arbitrary CLI tools should be done from trusted releases. - If you want to proceed: (1) prefer running the extended script which uses stdin for nak.decode; (2) edit analyze.py and analyze_light.py to use stdin for secret input; (3) avoid pasting secrets into chat and avoid placing RUNSTR_NSEC in crontab or unencrypted files; (4) ensure the cache location is on encrypted disk if you are concerned about local data disclosure. If you are not comfortable auditing or modifying the scripts, treat this skill as risky and consider not installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971b46263q5rrpat9bgmn0b9s82wmwd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnak, python3

Install

Install nak via Go
Bins: nak

Comments