Hybrid training plan
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says: connect to Hybrid Training Plan with an API key so it can view and update your workout plan.
This looks coherent and purpose-aligned. Install it only if you are comfortable giving the agent a Hybrid Training Plan API key and allowing it, when asked, to read your plan and update workout logs, day status, and exercise maxes. Use a dedicated API key and keep the default API URL unless you trust an alternative endpoint.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with access to this environment variable could use the key to access the user's training-plan data.
The skill requires a bearer API key for the user's Hybrid Training Plan account. This is expected for the integration, but it grants account-level access according to the API key's permissions.
Generate an API key at hybridtrainingplan.app/account ... export HYBRID_API_KEY="htp_your_key_here"
Use a dedicated, revocable API key for this skill, keep it out of shared logs or prompts, and revoke it if the skill is no longer needed.
If invoked incorrectly, the agent could mark the wrong day complete or skipped, overwrite a session log, or update an exercise max incorrectly.
The helper exposes API operations that modify the user's training plan, session logs, and exercise maxes. These match the stated purpose but are real account mutations.
complete) ... htp_patch "/api/plans/$plan_id/days/$date" '{"status":"completed"}' ... skip) ... htp_patch ... '{"status":"skipped"}' ... log-session) ... htp_put "/api/session-logs" "$body" ... set-max) ... htp_post "/api/exercise-maxes" "$body"Before asking the agent to make changes, confirm the date, plan ID, session ID, and values; review results after mutations.
Workout data and the authorization token are sent to the configured API service.
The script sends authenticated requests to the Hybrid Training Plan API, and optionally to a user-configured API URL. This is disclosed and purpose-aligned, but it carries personal training data and the bearer token to that endpoint.
API_URL="${HYBRID_API_URL:-https://api.hybridtrainingplan.app}" ... curl -sf -H "Authorization: Bearer $API_KEY" "$API_URL$1"Use the default API URL unless you intentionally trust another endpoint, and avoid setting HYBRID_API_URL to an untrusted server.