Back to skill
Skillv1.2.2
ClawScan security
Fitness & Workout Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 1:07 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its fitness/logging purpose: it stores data locally, requires only python3, and optionally integrates with Feishu via a single optional environment variable.
- Guidance
- This skill appears to do what it says: local workout parsing, session handling, and optional Feishu sync. Before installing, consider: 1) Feishu integration is optional — only set FEISHU_FITNESS_DOC_ID if you want sync; ensure the Feishu bot credentials/permissions you provide are limited to the needed doc read/write and messaging scopes. 2) The skill stores all plans/logs under ~/.openclaw/workspace/fitness-skill — review or back up that directory if you care about privacy. 3) SKILL.md mentions runtime hooks (AGENTS.md, HEARTBEAT.md, scheduler/feishu_api) that are provided by the OpenClaw runtime; verify your runtime supplies those APIs or the sync/auto-close features may not work. 4) If you plan to enable Feishu sync or run this on a shared environment, inspect the skill's sync_to_feishu and scheduler code paths (present in the full fitness_skill.py) to confirm no additional network endpoints or credentials are used beyond the Feishu doc ID. 5) As always, run untrusted code in a constrained environment if you are unsure.
Review Dimensions
- Purpose & Capability
- okName/description, manifest entry points, and included scripts align: the package ships CLI entry points (fitness-plan, fitness-log, fitness-status) implemented in the provided Python files and stores data under ~/.openclaw/workspace/fitness-skill. The only required binary is python3, which is appropriate for the delivered Python scripts.
- Instruction Scope
- noteSKILL.md instructs the agent to route workout and logging requests here and documents local JSON storage, session lifecycle, and optional Feishu sync. The instructions do not ask for unrelated credentials or to read unrelated system paths. Note: SKILL.md references AGENTS.md and HEARTBEAT.md rules and scheduler behavior (cron/heartbeat) that are not included in the bundle; those behaviors depend on the OpenClaw runtime and may be non-functional or require runtime-provided hooks.
- Install Mechanism
- okNo install spec; the skill is effectively delivered as scripts and docs. requirements.txt declares no external packages and the code uses only Python standard library, so nothing external is downloaded or extracted during install.
- Credentials
- okNo required environment variables. One optional env var (FEISHU_FITNESS_DOC_ID) is declared for Feishu document sync and is proportionate to the described Feishu integration. No other credentials or unrelated env vars are requested.
- Persistence & Privilege
- okThe skill does persist data locally under the user's home (~/.openclaw/workspace/fitness-skill) which matches its purpose. always:false and normal autonomous invocation settings are used. The skill does not request system-wide changes or modify other skills' configs in the shipped code.