Hevy
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent read-only Hevy workout-data helper, with expected cautions about trusting the external CLI and protecting your Hevy API key.
Before installing, make sure you trust the external hevycli project, prefer a reviewed or pinned version if possible, configure your Hevy API key carefully, and treat exported workout JSON files as private personal data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed CLI will handle the user's Hevy account access and fitness data, so upstream changes to the CLI could affect what code runs locally.
The skill depends on an external third-party CLI installed from GitHub at the moving '@latest' version. This is disclosed and central to the purpose, but users are trusting code outside the supplied artifact.
User must have `hevycli` installed (`go install github.com/nsampre/hevycli@latest`)
Install the CLI only if you trust its source; consider reviewing the upstream project and using a pinned version instead of '@latest' where possible.
Anyone or anything with access to the configured API key may be able to read the user's Hevy fitness data through the CLI.
The skill requires account-level API credentials to retrieve Hevy data. This is expected for the stated integration, but it is sensitive authority that users should manage carefully.
User must have configured their Hevy API key (`hevycli config set-api-key <key>`)
Use only a trusted local environment, avoid pasting API keys unnecessarily, and revoke or rotate the Hevy API key if you suspect exposure.