Trainer Buddy Pro
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: normieclaw-trainer-buddy-pro Version: 1.0.3 Trainer Buddy Pro is a fitness-focused skill that manages workout data and user profiles locally. The skill includes explicit prompt-injection defenses in SKILL.md, instructing the agent to treat external content (like OCR text from gym photos) strictly as data. The provided shell script (backup-workout-data.sh) is designed for local data maintenance with safety guards to prevent path traversal, and the overall architecture adheres to local storage principles without external data exfiltration or suspicious network activity.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your workout history, body information, PRs, and injury notes may be stored locally and reused to shape future recommendations.
The skill is designed to persist and reuse personal fitness and health-adjacent information, including injuries and body metrics, across future sessions.
"Cross-reference user profile" from `data/user-profile.json` ... schema includes "age", "gender", "weight_lbs", "height_in", "injuries", "limitations"
Use this only if you are comfortable keeping that information in local files; protect the data directory with appropriate file permissions or disk encryption if privacy matters.
Running the setup commands changes files and permissions in your workspace, and the backup script is local code you may later execute.
The skill has no automatic install spec, but it documents user-run shell setup and copies a backup script into the workspace.
Run these commands from your OpenClaw workspace root: ... `cp "$SKILL_SOURCE/scripts/backup-workout-data.sh" scripts/backup-workout-data.sh` ... `chmod 700 scripts/backup-workout-data.sh`
Review the setup commands and backup script before running them, especially because the included script appears syntactically malformed in the supplied artifact.
The backup helper may fail or behave differently than the documentation suggests.
The helper script contains an unexpected malformed shell fragment before its backup logic, which undermines the reliability of the packaged helper even though it does not show exfiltration or privilege escalation.
find_skill_root() {
cd "$(dirname "$0")/.." && pwd
}
")" && pwd)"Do not run the backup script until it has been corrected and reviewed; prefer manual backups of the skill's data directory if needed.
If you build or enable the optional cloud dashboard, your workout, body metric, and injury-related data may leave your machine.
The optional dashboard design can move workout/profile data from local JSON files into a cloud database if a user chooses that mode.
Database: Supabase (PostgreSQL) — or read directly from JSON files for local-only setups ... dashboard reads from `data/workout-log.json` (local mode) OR syncs to Supabase (cloud mode)
Use the local JSON mode unless you intentionally want cloud sync, and configure authentication, database permissions, and row-level security before storing personal data in Supabase.
Marketing-style security claims may make the skill seem more formally audited than the supplied artifacts prove.
The package makes strong self-audit and safety claims. They are mostly consistent with the core local-only artifacts, but users should not treat self-attestation as independent verification.
🛡️ Codex Security Verified 🛡️ ... No data exfiltration ... No destructive operations
Rely on the actual permissions and files you review, not on the package's own security badge or guarantees.