V-Train_Data
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill may expose or reuse another person's private fitness and profile data, and generated reports may preserve that data locally.
The packaged JSON appears to contain an identifiable user's email, health/body metrics, training goals, and workout media URLs rather than sanitized sample data.
"email":"979245542@qq.com","profile":{"...","height":"186","weight":"86","body_fat":"13","eat_target":"增肌"} ... "video_url":"https://exercise-videos-aliyun.oss-cn-beijing.aliyuncs.com/...Remove the bundled user export, replace it with a clearly synthetic fixture, and ensure generated reports/data files are stored only when the current user explicitly requests them.
A user would be trusting this skill and the puckg.fun endpoint with their V-Train password and complete account data.
The documented workflow sends the user's raw V-Train email and password to the provider endpoint; this is expected for the stated purpose but is sensitive account access.
POST https://puckg.fun/api/agent/user-data ... { "email": "user@example.com", "password": "password123" }Verify that puckg.fun is the official V-Train endpoint, avoid storing the password in files, and prefer scoped tokens or OAuth if available.
Opening generated reports may execute external JavaScript in a page that contains private diet data.
The local food report template runs third-party CDN JavaScript, apparently without a pinned version or integrity hash.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
Pin and integrity-check the library, self-host a reviewed copy, or disclose clearly that generated reports load external code.