ClawHub

Endurance Coach

Security checks across malware telemetry and agentic risk

Overview

This endurance coaching skill is mostly purpose-aligned, but it stores sensitive athlete context and hidden coach notes without clear user-facing consent or review controls.

Review this skill carefully before installing. Expect it to use an external endurance-coach npm CLI, optionally authorize Strava, and keep local files under ~/.endurance-coach with sensitive training, health, schedule, and coaching-context information. Only use it if you are comfortable with persistent coaching memory, and periodically inspect or delete the stored context and database if you do not want that information retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to generate and persist a comprehensive `Athlete_Context.md` file containing sensitive personal and health-adjacent information such as injuries, family/work constraints, goals, and behavioral patterns, but it does not require explicit user consent or a warning that this data will be stored locally. In a coaching context this persistence is operationally useful, but the file aggregates highly sensitive profile data that could be exposed to other local users, backups, or later prompts without the athlete realizing it is being retained.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill explicitly says preliminary coach notes are "generated silently" and "not shown to athlete" while being stored separately, which creates undisclosed persistence of internal assessments about the user. Because these notes may include inferred psychological, behavioral, or health-related judgments, secret retention increases privacy risk, undermines transparency, and can bias future interactions without the user's knowledge.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section gives prescriptive minimum weekly hours, distances, and long-session volumes for high-risk endurance events without an explicit safety qualifier to individualize for age, injury history, medical conditions, heat tolerance, or training background. In a coaching skill, users may treat these numbers as authoritative defaults and overreach, increasing risk of injury, overtraining, cardiac events, or unsafe return-to-training decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section gives specific carbohydrate, fluid, sodium, and caffeine dosing targets for long endurance events without a clear warning that tolerance, body size, medical conditions, medications, heat acclimation, and GI sensitivity vary substantially between athletes. In a coaching skill, users may treat these values as personalized or medically safe, which can lead to overhydration, underhydration, excessive caffeine intake, GI distress, or worsening of underlying health issues during prolonged events.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file gives explicit maximal and all-out field testing instructions for running, cycling, and swimming without any screening, contraindication, supervision, or stop-if-symptoms safety guidance. In an endurance coaching skill, users may treat these protocols as actionable coaching advice, so omission of health warnings can contribute to overexertion, injury, cardiac events, or unsafe solo testing, especially for beginners or users with unknown medical risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal