Trainer Buddy Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
This skill looks purpose-aligned for local fitness coaching and progress tracking. Before installing, be aware that it may keep sensitive injury and body information in local files, review any shell commands or backup scripts before running them, and avoid the optional cloud dashboard path unless you are comfortable configuring and trusting a cloud database for your fitness data. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your workout history, body information, PRs, and injury notes may be stored locally and reused to shape future recommendations.
The skill is designed to persist and reuse personal fitness and health-adjacent information, including injuries and body metrics, across future sessions.
"Cross-reference user profile" from `data/user-profile.json` ... schema includes "age", "gender", "weight_lbs", "height_in", "injuries", "limitations"
Use this only if you are comfortable keeping that information in local files; protect the data directory with appropriate file permissions or disk encryption if privacy matters.
Running the setup commands changes files and permissions in your workspace, and the backup script is local code you may later execute.
The skill has no automatic install spec, but it documents user-run shell setup and copies a backup script into the workspace.
Run these commands from your OpenClaw workspace root: ... `cp "$SKILL_SOURCE/scripts/backup-workout-data.sh" scripts/backup-workout-data.sh` ... `chmod 700 scripts/backup-workout-data.sh`
Review the setup commands and backup script before running them, especially because the included script appears syntactically malformed in the supplied artifact.
The backup helper may fail or behave differently than the documentation suggests.
The helper script contains an unexpected malformed shell fragment before its backup logic, which undermines the reliability of the packaged helper even though it does not show exfiltration or privilege escalation.
find_skill_root() {
cd "$(dirname "$0")/.." && pwd
}
")" && pwd)"Do not run the backup script until it has been corrected and reviewed; prefer manual backups of the skill's data directory if needed.
If you build or enable the optional cloud dashboard, your workout, body metric, and injury-related data may leave your machine.
The optional dashboard design can move workout/profile data from local JSON files into a cloud database if a user chooses that mode.
Database: Supabase (PostgreSQL) — or read directly from JSON files for local-only setups ... dashboard reads from `data/workout-log.json` (local mode) OR syncs to Supabase (cloud mode)
Use the local JSON mode unless you intentionally want cloud sync, and configure authentication, database permissions, and row-level security before storing personal data in Supabase.
Marketing-style security claims may make the skill seem more formally audited than the supplied artifacts prove.
The package makes strong self-audit and safety claims. They are mostly consistent with the core local-only artifacts, but users should not treat self-attestation as independent verification.
🛡️ Codex Security Verified 🛡️ ... No data exfiltration ... No destructive operations
Rely on the actual permissions and files you review, not on the package's own security badge or guarantees.