Hevy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create inaccurate workouts or modify routines in the user's Hevy account.
The skill documents commands that can create or update data in the user's Hevy account. This matches the stated purpose, but these are account-changing actions.
hevy workouts create --title TEXT ... hevy workouts update <workout-id> ... hevy routines create --title TEXT ... hevy routines update <routine-id> ...
Before running create or update commands, confirm the target IDs, dates, titles, and exercise JSON with the user.
The agent will need access to a Hevy API key to read or change the user's Hevy fitness data.
The skill requires a Hevy API key for account access, but the registry metadata lists no required environment variables or primary credential.
Requires `HEVY_API_KEY` env var to be set.
Provide only a Hevy API key intended for this use, prefer an environment variable over placing the key in command text, and revoke the key if no longer needed.
Users must already have the correct Hevy CLI installed; otherwise the agent may fail or use whatever `hevy` executable is on the system path.
The skill depends on an external `hevy` CLI, but the provided install data says there is no install spec and no required binaries are declared.
Use the `hevy` CLI to interact with Hevy fitness app data.
Install the Hevy CLI only from a trusted source and verify which `hevy` executable will be used before granting it API-key access.