Hevy
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Hevy API CLI, but it needs your Hevy API key and includes some disclosed commands that can change routines or exercises.
Before installing, confirm that the `hevy` binary comes from a trusted source and that you are comfortable giving it your Hevy API key. Use read commands freely for workout history, but treat create/update commands as account-changing actions and review them before running.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill must provide an API key that can access their Hevy workout data, and possibly perform supported write actions depending on the API key's permissions.
The skill requires a Hevy API key, which is expected for accessing the user's Hevy account but still grants access to private workout data and supported account operations.
requires:
bins: ["hevy"]
env: ["HEVY_API_KEY"]Use an API key only from your own Hevy account, keep it secret, revoke it if no longer needed, and prefer the narrowest available API permissions if Hevy supports scoping.
If the agent or user runs write commands, routines, workouts, folders, or exercises in the Hevy account may be created or updated.
The skill is primarily described as querying workout data, but it clearly documents supported write operations that can change Hevy account data.
Write Operations (supported but use carefully)
- `POST /v1/workouts` - Create workout
- `PUT /v1/workouts/{id}` - Update workout
- `POST /v1/routines` - Create routine
- `PUT /v1/routines/{id}` - Update routineOnly run create or update commands after confirming the intended change; review JSON inputs before piping them to the CLI.
The user must ensure the installed `hevy` binary is the intended one and not a different program with the same name.
The metadata requires a `hevy` binary, but no install specification is provided to show how that binary is obtained.
No install spec — this is an instruction-only skill.
Install the CLI only from a trusted source, verify the binary path before use, and avoid using an unknown preinstalled `hevy` executable.