Hevy
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: hevy-workouts Version: 1.0.1 The skill bundle is benign. It provides instructions for an AI agent to interact with the Hevy fitness app using a `hevy` command-line interface. All commands and instructions are clearly aligned with the stated purpose of managing fitness data (workouts, routines, exercises, folders). While the skill requires access to a `HEVY_API_KEY` environment variable and the `hevy` CLI can read local files via `--exercises-json @filepath`, there is no evidence of intent to exfiltrate data, execute malicious payloads, establish persistence, or perform prompt injection against the agent to achieve harmful objectives. The documentation is straightforward and lacks any obfuscation or suspicious external dependencies.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create inaccurate workouts or modify routines in the user's Hevy account.
The skill documents commands that can create or update data in the user's Hevy account. This matches the stated purpose, but these are account-changing actions.
hevy workouts create --title TEXT ... hevy workouts update <workout-id> ... hevy routines create --title TEXT ... hevy routines update <routine-id> ...
Before running create or update commands, confirm the target IDs, dates, titles, and exercise JSON with the user.
The agent will need access to a Hevy API key to read or change the user's Hevy fitness data.
The skill requires a Hevy API key for account access, but the registry metadata lists no required environment variables or primary credential.
Requires `HEVY_API_KEY` env var to be set.
Provide only a Hevy API key intended for this use, prefer an environment variable over placing the key in command text, and revoke the key if no longer needed.
Users must already have the correct Hevy CLI installed; otherwise the agent may fail or use whatever `hevy` executable is on the system path.
The skill depends on an external `hevy` CLI, but the provided install data says there is no install spec and no required binaries are declared.
Use the `hevy` CLI to interact with Hevy fitness app data.
Install the Hevy CLI only from a trusted source and verify which `hevy` executable will be used before granting it API-key access.