ClawHub

Hevy

v0.0.1

Access and analyze your Hevy fitness data via CLI to view workouts, routines, exercises, export JSON data, and track fitness progress.

1· 1.7k·1 current·1 all-time
by@nsampre
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's runtime instructions clearly target the hevycli command-line tool and a Hevy API key to read a user's workout data. However, the registry metadata declares no required binaries, no required environment variables, and no primary credential. That mismatch (instructions require a binary and API key but metadata lists none) is incoherent.
Instruction Scope
The SKILL.md stays within the stated purpose (listing/getting workouts, routines, templates, exporting JSON). It does instruct the agent/user to run `go install github.com/nsampre/hevycli@latest` and to configure an API key via `hevycli config set-api-key`. It does not ask the agent to read unrelated files or exfiltrate data. Minor caution: using `--debug` may expose request details (potentially including sensitive tokens) in logs.
Install Mechanism
There is no registry install spec (instruction-only), but SKILL.md instructs the user to run `go install` against a GitHub repo. Fetching and building code from a remote repository is normal for Go CLIs but requires trusting that GitHub source — the skill does not provide a vetted install artifact or pinned release in the metadata.
!
Credentials
The instructions require a Hevy API key and a Hevy Pro subscription, yet the skill metadata declares no credentials or required env vars. The absence of declared credentials is inconsistent and hides that an API key (sensitive secret) must be provided and stored locally by the CLI. The SKILL.md also advises using debug output which could surface sensitive data.
Persistence & Privilege
The skill does not request always:true or any persistent system-wide privileges. It is user-invocable and allows normal autonomous invocation. It does not declare modifying other skills or system configs.
What to consider before installing
Before installing or using this skill: 1) Be aware the SKILL.md expects you to install a third-party Go package (github.com/nsampre/hevycli) — review that repository's source and releases to ensure you trust it. 2) The skill needs your Hevy API key (sensitive). Confirm how `hevycli` stores that key locally and avoid sharing it; do not enable `--debug` unless necessary. 3) The registry metadata is incomplete (it should list the hevycli binary and required credential). Treat this mismatch as a packaging/attention-to-detail problem — it may be harmless, but verify the upstream code and read the CLI's config/storage behavior before providing secrets. 4) If possible, prefer installing a pinned release (not @latest) and inspect the code/build artifacts for unexpected network or file-access behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a6wr6pe8vx9e0wfnn55nmad800y2a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments