ClawHub

Hevy

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate Hevy CLI, but its read-focused description understates documented account-changing commands.

Install only if you intend to let an agent access your Hevy account with HEVY_API_KEY. Treat this as a read/write tool, not just a workout lookup helper: review any create or update command before it runs, and verify the hevy binary is from the expected package/source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill requires an API key and makes network calls to a third-party service, but it does not declare explicit permissions for those capabilities. This weakens platform-level transparency and control, making it easier for a skill with external data access to be invoked without clear user or system awareness of the sensitive capabilities it uses.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a query-only workout lookup tool, but the documentation exposes multiple mutating operations that can create or update workouts, routines, folders, and exercise templates. This mismatch can cause an orchestrator or user to trust the skill in read-only contexts while it is actually capable of modifying account data, creating a significant integrity risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest and description frame the skill as a data-query tool, but the same file documents commands for creating and updating user data. In context, this is dangerous because the skill accesses a personal fitness account, so unexpected write capability could alter or pollute a user's workout history and routines.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file explicitly claims the CLI focuses on read operations while also presenting write commands as normal documented functionality. This contradictory messaging increases the chance that reviewers, agents, or users will underestimate the risk of account modification and invoke the tool in contexts where only non-mutating behavior was expected.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill metadata describes a query-only workout data capability, but this client exposes multiple state-changing methods such as createWorkout, updateWorkout, createRoutine, updateRoutine, createRoutineFolder, and createExerciseTemplate. This creates a privilege and expectation mismatch: an agent or user may believe the skill is read-only while it can modify remote fitness data, enabling unauthorized or unintended changes if these methods are wired into tool use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says this tool is for querying workout data, but the CLI also exposes write operations that create and update routines, folders, and exercise templates. In an agent setting, this capability mismatch breaks least-privilege expectations and can lead to unauthorized state changes if the agent or user assumes the skill is read-only.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Routine, folder, and exercise mutation features are inconsistent with the stated purpose of querying workout history and progress. This makes the skill more dangerous in practice because an orchestrating agent may invoke it under the assumption that it only reads data, enabling unintended or attacker-induced modifications to a user's fitness account.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger language is broad enough to match generic fitness conversations, which can cause the skill to activate in situations where the user did not intend to query a connected Hevy account. Because the skill can access personal workout history and also documents write operations, over-broad activation expands both privacy and integrity exposure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill accesses personal workout history through an API key, but the documentation does not prominently warn about the privacy implications of retrieving account-linked health/fitness data. In this context, that omission matters because workout history can reveal sensitive behavioral and health-related information and may be fetched more casually than users expect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal