Back to skill
Skillv1.0.1
ClawScan security
Hybrid training plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 3:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential line up with a straightforward CLI wrapper for hybridtrainingplan.app and request only the API key needed to operate.
- Guidance
- This skill is a simple CLI wrapper for hybridtrainingplan.app and legitimately needs only your HYBRID_API_KEY. Treat that key like a password: only provide it to trusted agents and revoke it from your account if you stop using the skill. Before enabling, confirm you are comfortable the skill can mark days complete/skip, create/update session logs, and update 1RMs (it will perform those API actions). If possible, create a scoped API key (or one you can revoke) rather than using a long-lived key you rely on elsewhere. You may also review the included scripts/htp.sh yourself (it's short and readable) and ensure HYBRID_API_URL is set only if you trust a non-default endpoint.
Review Dimensions
- Purpose & Capability
- okName/description (viewing and managing a Hybrid Training Plan) matches what the skill does: a small CLI wrapper that calls hybridtrainingplan.app endpoints. Required binaries (curl, jq) and the single env var (HYBRID_API_KEY) are appropriate and expected.
- Instruction Scope
- okSKILL.md directs the agent to use the provided scripts/htp.sh to call the documented API endpoints and to set HYBRID_API_KEY (and optional HYBRID_API_URL). The instructions do not request unrelated files, system state, or other credentials, nor do they direct data to unexpected external endpoints.
- Install Mechanism
- okNo install spec; this is instruction-only with a small included shell script. Nothing is downloaded from external, untrusted URLs and the script itself is short and readable.
- Credentials
- okOnly HYBRID_API_KEY (primary credential) is required. That is proportionate: the skill needs to authenticate to the user's hybridtrainingplan.app account to read/update plans and logs. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or alter other skills. It only expects the API key to be set in the agent environment and a local executable script to be made runnable.