ClawHub

Fitness Personal Assistant

Security checks across malware telemetry and agentic risk

Overview

This fitness skill appears purpose-built, but it needs review because it stores an Intervals.icu API key, reads sensitive fitness data, and can update wellness records from broad natural-language prompts.

Install only if you intentionally want this skill to read and update your Intervals.icu fitness data. Use a dedicated revocable API key, keep the config file private, prefer explicit commands over broad group-chat triggers, try --dry-run before syncing meals, and use --no-off if you do not want food names sent to OpenFoodFacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Tainted flow: 'CONFIG_FILE' from os.environ.get (line 26, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
}
    
    STORAGE_PATH.mkdir(parents=True, exist_ok=True)
    with open(CONFIG_FILE, 'w') as f:
        json.dump(config, f, indent=2)
    
    os.chmod(CONFIG_FILE, 0o600)
Confidence
92% confidence
Finding
with open(CONFIG_FILE, 'w') as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares only tools but no explicit permissions boundary, while the documented behavior clearly includes environment-variable access, local file writes, shell usage, and outbound network access. This creates an authorization gap: operators may approve the skill based on incomplete capability disclosure and expose secrets, files, or network access beyond what they expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior substantially exceeds the stated purpose, including advanced health analysis, predictions, training planning, and possible activity-file uploads. Such scope creep is risky because users and reviewers may consent to a simple sync utility while unknowingly granting a broader tool that processes sensitive health data and performs additional remote actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script goes far beyond passive status reporting and generates prescriptive health, recovery, training, and nutrition guidance such as telling the user to stop training, rest for multiple days, monitor body temperature, or follow calorie/protein targets. In a fitness assistant context, this is risky because it can be mistaken for individualized medical or diet advice without clinician oversight, validation, or safety guardrails for contraindications, injuries, eating disorders, or underlying conditions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script interactively collects an Intervals.icu API key and persists it locally, which expands its authority beyond simple data sync behavior and creates a long-lived secret on disk. In a skill context, this increases risk because users may not expect credential capture and storage as part of routine fitness logging automation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README presents very broad, everyday natural-language phrases such as meal descriptions as direct triggers for logging actions, but it does not define clear activation boundaries, confirmation steps, or disambiguation rules. In an agent or chat context, this can cause unintended execution from ordinary conversation, leading to accidental health-data processing or uploads to third-party services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script stores the user's API key in a local JSON config file and does not clearly warn the user before persisting the credential. Even with chmod 0600, plaintext secrets on disk are vulnerable to backup leakage, accidental sharing, misconfigured filesystems, or later compromise of the user account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends raw user-provided food names to the external OpenFoodFacts service via `requests.get(...)` without any visible consent, disclosure, or opt-in at the point of transmission. Even though the data appears low sensitivity, food queries can reveal health status, religion, allergies, dieting behavior, or other personal lifestyle information, making this a real privacy/security issue in a fitness assistant context.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill retrieves and processes sensitive health, wellness, nutrition, and activity data through multiple API calls, yet the code shows no user-facing notice, consent flow, or minimization around that processing. In a fitness assistant context, this is more dangerous because the data includes highly sensitive biometric and behavioral information, increasing privacy and compliance risk if users are unaware of the breadth of collection and analysis.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal