Back to skill
Skillv1.0.1
ClawScan security
AI Running Coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 7:44 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and data files are consistent with an AI running coach that generates plans and parses TCX/GPX files; nothing requests unrelated credentials or external network access.
- Guidance
- This skill appears coherent and implements the described running-coach features locally. Before installing/using: 1) Ensure the agent environment has a trusted Python runtime (SKILL.md assumes 'python') since metadata didn't list required binaries. 2) Review the included scripts (they run locally and do not perform network calls) if you need to verify behavior. 3) Be aware you will provide personal/health data (race times, heart rates, possibly GPX/TCX files) — treat that as sensitive and avoid sending it to third parties. 4) Note some defaults (e.g., default weekly_km values) may be unrealistic; validate outputs and consult a qualified coach/medical professional for injury concerns. If you want extra assurance, run the scripts in a sandboxed environment or inspect/execute them locally before enabling autonomous invocation.
Review Dimensions
- Purpose & Capability
- okName/description (VDOT-based running coach) matches the included scripts (plan generation, run analysis, pace/HR calculations) and reference docs. The functionality implemented is appropriate for the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to run the provided Python scripts and to accept user-uploaded TCX/GPX files and personal data (PB, target time, HR, optional age/weight/injury history). That behaviour is expected for this skill. Minor inconsistency: metadata did not declare Python as a required binary even though runtime examples call 'python'.
- Install Mechanism
- okNo install spec — the skill is delivered as scripts and documentation to run in-place. No downloads, external installers, or URLs are used. This is low-risk from an install mechanism perspective.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It only processes user-supplied activity files and optional personal/physiological inputs, which are proportionate to the stated functionality.
- Persistence & Privilege
- okalways:false and default invocation settings — the skill does not request permanent/always-on privileges or modifications to other skills; no elevated platform privileges are requested.