ClawHub

Intervals Icu Api

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Intervals.icu API skill whose credential use and account-changing examples are disclosed and aligned with managing training data.

Use this skill only in trusted sessions, keep API keys and bearer tokens out of shared logs or transcripts, and review every POST, PUT, DELETE, or bulk command before running it. Prefer narrow date ranges, specific IDs, and field selections, and export or back up important training data before making broad changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README prominently documents privacy-sensitive and state-changing operations such as creating workouts, logging wellness, uploading activities, and deleting calendar events without any caution about data modification, consent, or irreversible changes. In an agent skill context, this increases the risk that an automated system could perform writes against a user's training account or wellness records without explicit confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill contains numerous POST and PUT examples that create or modify live athlete activities, events, wellness records, and sport settings, but it does not clearly warn users that these operations are state-changing and can alter production training data. In an agent setting, documentation that mixes read and write operations without prominent guardrails increases the risk of unintended destructive or privacy-impacting actions, especially if an automated system follows examples directly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The authentication section shows direct use of API keys and bearer tokens in headers but does not warn about secure credential handling, storage, redaction, or log exposure. In agent and CLI workflows, this can lead to secrets being pasted into commands, shell history, transcripts, or debugging output, resulting in account compromise and unauthorized access to sensitive athlete data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal