ClawHub

Fit Dubai

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a fitness coach, but it persists sensitive personal fitness and body-profile data without clear consent, retention, or deletion controls.

Install only if you are comfortable with the skill retaining personal fitness details in local memory files. Before using it, decide what body metrics, diet details, location, and progress history you want saved, and manually review or delete the memory files if you no longer want that information retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly says it will track milestones and performance history in `coach.md` and update that file over time, but it does not clearly inform the user that this creates persistent storage of personal data or explain the consequences of modifying a file. Because fitness history can reveal sensitive health-related information, users may disclose data they would not share if they understood it would be retained.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly states that personalized fitness data will be stored and updated over time, and the template includes sensitive health-related and location-linked fields such as age, weight, height, dietary preference, and area in Dubai. Collecting and persisting this data without any visible privacy notice, retention limits, consent language, or handling guidance creates a real privacy and data governance risk if users are unaware their information is being retained.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal