Hevy
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: hevy Version: 0.2.0 The OpenClaw AgentSkills skill bundle for Hevy provides a CLI to interact with the Hevy workout tracking API. It requires an API key from the `HEVY_API_KEY` environment variable. The `SKILL.md` clearly outlines both read and write operations (e.g., `hevy workouts`, `hevy create-routine`) against the `https://api.hevyapp.com` endpoint. The source code (`src/api.ts`, `src/cli.ts`, `src/config.ts`) confirms these interactions, with no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence, obfuscation, or prompt injection attempts against the agent to perform actions beyond the stated purpose. File reading (`fs.readFileSync` in `src/cli.ts`) is used legitimately for `--file` input options.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill must provide an API key that can access their Hevy workout data, and possibly perform supported write actions depending on the API key's permissions.
The skill requires a Hevy API key, which is expected for accessing the user's Hevy account but still grants access to private workout data and supported account operations.
requires:
bins: ["hevy"]
env: ["HEVY_API_KEY"]Use an API key only from your own Hevy account, keep it secret, revoke it if no longer needed, and prefer the narrowest available API permissions if Hevy supports scoping.
If the agent or user runs write commands, routines, workouts, folders, or exercises in the Hevy account may be created or updated.
The skill is primarily described as querying workout data, but it clearly documents supported write operations that can change Hevy account data.
Write Operations (supported but use carefully)
- `POST /v1/workouts` - Create workout
- `PUT /v1/workouts/{id}` - Update workout
- `POST /v1/routines` - Create routine
- `PUT /v1/routines/{id}` - Update routineOnly run create or update commands after confirming the intended change; review JSON inputs before piping them to the CLI.
The user must ensure the installed `hevy` binary is the intended one and not a different program with the same name.
The metadata requires a `hevy` binary, but no install specification is provided to show how that binary is obtained.
No install spec — this is an instruction-only skill.
Install the CLI only from a trusted source, verify the binary path before use, and avoid using an unknown preinstalled `hevy` executable.