V-Train_Data
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: v-train-data-skill Version: 1.0.1 The skill bundle is a comprehensive toolset for fetching and visualizing fitness and diet data from the V-Train platform (puckg.fun). It includes Node.js scripts (table_view.js), HTML templates (food_viewer_template.html, vtrain_viewer.html), and detailed documentation (vtrain-exercise-data-fetcher.md, vtrain-food-data-fetcher.md) for interacting with the service's API. While it requires user credentials (email/password) to function, the code logic is consistent with the stated purpose of data retrieval and report generation, with no evidence of malicious exfiltration, unauthorized execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the skill may expose or reuse another person's private fitness and profile data, and generated reports may preserve that data locally.
The packaged JSON appears to contain an identifiable user's email, health/body metrics, training goals, and workout media URLs rather than sanitized sample data.
"email":"979245542@qq.com","profile":{"...","height":"186","weight":"86","body_fat":"13","eat_target":"增肌"} ... "video_url":"https://exercise-videos-aliyun.oss-cn-beijing.aliyuncs.com/...Remove the bundled user export, replace it with a clearly synthetic fixture, and ensure generated reports/data files are stored only when the current user explicitly requests them.
A user would be trusting this skill and the puckg.fun endpoint with their V-Train password and complete account data.
The documented workflow sends the user's raw V-Train email and password to the provider endpoint; this is expected for the stated purpose but is sensitive account access.
POST https://puckg.fun/api/agent/user-data ... { "email": "user@example.com", "password": "password123" }Verify that puckg.fun is the official V-Train endpoint, avoid storing the password in files, and prefer scoped tokens or OAuth if available.
Opening generated reports may execute external JavaScript in a page that contains private diet data.
The local food report template runs third-party CDN JavaScript, apparently without a pinned version or integrity hash.
<script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
Pin and integrity-check the library, self-host a reviewed copy, or disclose clearly that generated reports load external code.