ClawHub

Nexus — Workout & Nutrition Tracker

v1.1.0

Log and track workouts, meals, weight, and fitness friends with OAuth-secured cloud storage and conversational queries in Nexus.

0· 28·0 current·0 all-time
byKushal@kiluazen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (workout & nutrition tracker) matches the SKILL.md commands (log, history, update, friends). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are narrowly scoped to installing/using the Nexus CLI, authenticating via Google, and reading/writing fitness entries (files, stdin, or inline JSON). The instructions do not instruct the agent to read arbitrary system files, environment variables, or send data to unexpected endpoints beyond the Nexus service.
Install Mechanism
There is no declared install spec in the registry (instruction-only), but the SKILL.md tells users to run 'uv tool install nexus-fitness' to obtain the CLI. That implies downloading/executing third-party code at install time — expected for a CLI but worth verifying the 'uv' installer and the package source before running.
Credentials
No environment variables or credentials are declared by the skill; the only auth described is interactive Google OAuth, which is proportionate for a cloud-backed personal data service. The SKILL.md does not request unrelated secrets.
Persistence & Privilege
The skill does not request 'always: true', does not declare elevated persistence or modifications to other skills, and uses normal agent invocation semantics.
Assessment
This skill appears to be what it claims (a CLI-based fitness tracker) and contains links to a GitHub repo and website, but before installing: 1) inspect the GitHub repo or website to confirm the CLI's source and review the code or release artifacts; 2) verify what permissions the Google OAuth flow requests (only grant the minimum needed); 3) be cautious running the 'uv tool install' command — confirm what 'uv' is and that it fetches releases from a trusted host; 4) review the privacy policy to understand how your fitness and friend data is stored/shared; and 5) avoid providing unrelated credentials or system access. Because this skill is instruction-only and installs a third-party binary at runtime, I assign medium confidence — more confidence would require seeing the actual CLI code or a well-known release artifact.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0zgrt7wdc3mgyfwweyz8m584hpn2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments