V-Train_Data
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its stated V-Train reporting purpose, but it bundles real-looking personal fitness data and handles raw account credentials, so it needs review before use.
Only use this skill if you trust the V-Train endpoint and owner. Remove the bundled vtrain_user_data.json before use, treat generated JSON/HTML/Markdown reports as sensitive, and do not enter or store your V-Train password unless you have verified the service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill may expose or reuse another person's private fitness and profile data, and generated reports may preserve that data locally.
The packaged JSON appears to contain an identifiable user's email, health/body metrics, training goals, and workout media URLs rather than sanitized sample data.
"email":"979245542@qq.com","profile":{"...","height":"186","weight":"86","body_fat":"13","eat_target":"增肌"} ... "video_url":"https://exercise-videos-aliyun.oss-cn-beijing.aliyuncs.com/...Remove the bundled user export, replace it with a clearly synthetic fixture, and ensure generated reports/data files are stored only when the current user explicitly requests them.
A user would be trusting this skill and the puckg.fun endpoint with their V-Train password and complete account data.
The documented workflow sends the user's raw V-Train email and password to the provider endpoint; this is expected for the stated purpose but is sensitive account access.
POST https://puckg.fun/api/agent/user-data ... { "email": "user@example.com", "password": "password123" }Verify that puckg.fun is the official V-Train endpoint, avoid storing the password in files, and prefer scoped tokens or OAuth if available.
Opening generated reports may execute external JavaScript in a page that contains private diet data.
The local food report template runs third-party CDN JavaScript, apparently without a pinned version or integrity hash.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
Pin and integrity-check the library, self-host a reviewed copy, or disclose clearly that generated reports load external code.