ClawHub

Fitness

v1.0.1

Auto-learns your fitness patterns. Absorbs data from wearables, conversations, and achievements.

3· 2.2k·13 current·14 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with wearables, race results, gym apps and conversational signals, but declares no required credentials, APIs, or connectors. A legitimate integration with services like Apple Health, Strava, Garmin, Whoop, or Oura normally requires explicit auth/config; that absence is inconsistent with the stated capabilities.
!
Instruction Scope
Runtime instructions instruct the agent to 'Absorb fitness mentions from ANY source' and to persist learned data in ~/fitness/memory.md. 'ANY source' is intentionally broad and grants the agent wide discretion to read whatever inputs it considers relevant (conversations, exports, possibly local files) without clear limits or consent flows described.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is automatically written to disk by an installer. That minimizes install-time risk.
!
Credentials
The skill requests no environment variables or credentials even though it references many third-party services. Either it relies on existing agent connectors (not documented) or it expects ad-hoc access to user-provided tokens; the lack of declared required secrets is disproportionate to the described integrations.
Persistence & Privilege
The skill will store persistent user data at ~/fitness/memory.md (explicit in SKILL.md). Persisting preferences locally is reasonable, but you should be aware this file will accumulate potentially sensitive health and lifestyle data and the skill does not describe encryption, retention, or deletion policies.
What to consider before installing
Before installing, consider: (1) Where and how will this skill get wearable and app data? Ask the publisher how connectors are authorized and whether you'll need to provide API tokens — the skill currently documents none. (2) The skill will write a local file at ~/fitness/memory.md containing health-related details; inspect this file, know where it lives, and confirm whether it is encrypted or included in backups. (3) 'Absorb data from ANY source' is broad — decide which sources you want the skill to use (e.g., only your watch, not your messages) and restrict it accordingly. (4) Ask about retention and deletion: how to remove all stored data and revoke access. (5) If you require stronger guarantees (explicit auth flows, audited connectors, server-side policy), request those from the skill author before enabling autonomous use. If you cannot get satisfactory answers, avoid installing or only enable it in a restricted testing context.

Like a lobster shell, security has layers — review code before you run it.

latestvk9774v25r20k89cv1sa8x1g3tn817w8n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments