Skillv2.0.1

ClawScan security

Intervals Icu Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 11, 2026, 8:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (using the intervals.icu API) but it fails to declare the API credentials it expects and has a minor coherence gap around credential handling.
Guidance: This skill is an instruction-only guide for the official intervals.icu API and appears to be what it claims — but it does not declare the API credentials it expects in its metadata. Before installing or using: 1) Be prepared to provide your Athlete ID and API key / bearer token — only give these to skills you trust. 2) Prefer supplying credentials interactively rather than storing them in an agent-wide environment variable, or use a scoped/rotating API key if intervals.icu supports it. 3) Confirm the endpoints in the skill match the official API docs (links are provided). 4) If you do not trust the skill source, do not paste your API key into chat; revoke keys after testing. 5) If you want smaller blast radius, disable autonomous invocation for the agent or avoid enabling the skill globally. The primary issue here is a metadata/credential omission (coherence gap), not evidence of malicious behavior.

Purpose & Capability: okName, description, and SKILL.md all describe Intervals.icu API usage (activities, events, wellness, uploads). The required capabilities (HTTP requests with an API key or Bearer token) are appropriate for the described functionality.
Instruction Scope: okSKILL.md is an instruction-only guide that provides curl examples against intervals.icu endpoints and explains field selection, date formats, downloads, and bulk operations. It does not instruct reading unrelated local files, enumerating system credentials, or sending data to third-party endpoints outside intervals.icu and documented resources.
Install Mechanism: okNo install spec or code; instruction-only skill. This is low-risk because nothing is downloaded or written to disk by the skill itself.
Credentials: concernSKILL.md expects sensitive values (Athlete ID, API Key or OAuth bearer token) in examples, but the skill metadata declares no required environment variables or primary credential. That mismatch is an incoherence: the skill will need credentials to operate but does not declare them as required inputs. This could lead to the agent requesting credentials in chat or the user supplying them ad-hoc, which deserves caution.
Persistence & Privilege: okalways is false and there is no install/persistence. The skill does not request elevated or permanent system presence and does not modify other skills or system settings.