Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Endurance Coach
v1.4.0Create personalized triathlon, marathon, and ultra-endurance training plans. Use when athletes ask for training plans, workout schedules, race preparation, or coaching advice. Can sync with Strava to analyze training history, or work from manually provided fitness data. Generates periodized plans with sport-specific workouts, zones, and race-day strategies.
⭐ 3· 2.4k·1 current·1 all-time
by@shiv19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill claims to produce personalized endurance plans and to optionally sync with Strava; its instructions focus on athlete context, local DB (~/.endurance-coach/coach.db) and template-based plan generation, which are expected for this purpose.
Instruction Scope
Runtime instructions explicitly tell the agent to read and write files in the user's home directory (e.g., ~/.endurance-coach/Athlete_Context.md, coach.db) and to run CLI commands (npx endurance-coach ...) and SQL queries against the local DB. Those actions are relevant to coaching but do grant the skill access to local training data and any contents of that folder; the instructions also encourage persistent context documents which may contain sensitive personal info.
Install Mechanism
There is no declared install spec, but the SKILL.md repeatedly instructs using 'npx -y endurance-coach@latest' to run a remote npm package. That is a legitimate delivery mechanism for a CLI-based skill, but it means code will be fetched and executed from the npm registry at runtime — a moderate operational risk if the npm package or its source are untrusted. The skill itself does not include code, so the scanner had nothing to analyze locally.
Credentials
The skill declares no required environment variables or credentials. It references Strava sync and an auth flow but appears to expect interactive/CLI OAuth and storing tokens locally in coach.db rather than requiring external environment secrets. The requested access (local DB and optional Strava OAuth) aligns with the stated functionality.
Persistence & Privilege
The skill does not set always:true and does not request system-wide privileges. It instructs creating/maintaining files under ~/.endurance-coach (Athlete_Context.md, coach.db, workout-templates), which is appropriate for a coaching agent but does give it persistent local storage.
Assessment
This skill is internally coherent for a coaching tool, but pay attention to three practical risks: (1) it reads and writes files in ~/.endurance-coach (Athlete_Context.md may contain personal health and context data) — review or sandbox that folder if you care about privacy; (2) it instructs running 'npx -y endurance-coach@latest' which downloads and executes code from the npm registry at runtime — only run that if you trust the package or inspect it first (or run in an isolated environment/container); (3) Strava sync implies OAuth tokens will be stored locally (coach.db); check what is stored and where, and rotate/revoke tokens if needed. If you plan to install/use this skill, ask the publisher for a source repo or homepage, or request an explicit install spec and documentation of how Strava auth and local storage are handled before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk970pv3y8ee86gnf6azw88jjk5812myc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.