ClawHub

Hevy

v0.2.0

Query workout data from Hevy including workouts, routines, exercises, and history. Use when user asks about their workouts, gym sessions, exercise progress, or fitness routines.

2· 2.5k·2 current·2 all-time
byMatt Russell@mjrussell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Hevy CLI) match the code and SKILL.md: the package implements a CLI client that talks to https://api.hevyapp.com and requests only HEVY_API_KEY. One small inconsistency: SKILL.md declares a required binary 'hevy' (which is correct for runtime use), and the repository includes source and a package.json that would install a 'hevy' binary when built/installed — but there is no install specification in the skill metadata. This is more of an operational mismatch (user/agent must ensure the 'hevy' binary is present or build it from source) than a functional or malicious inconsistency.
Instruction Scope
SKILL.md instructs the agent to use the hevy CLI and to set HEVY_API_KEY; commands and endpoints listed correspond to the code. Instructions do not ask the agent to read unrelated files, access unrelated environment variables, or send data to unexpected endpoints — all network calls target the Hevy API.
Install Mechanism
There is no install spec in the registry metadata (lowest-risk), but the package includes source and a package.json that defines a 'hevy' bin. This means the skill will not automatically install/build the binary; an operator or environment must already have 'hevy' on PATH or build/install it manually. No remote/download-based installation or suspicious external URLs are present.
Credentials
Only HEVY_API_KEY is required, which is appropriate for a client that talks to the Hevy API. The code reads only that environment variable and uses it for authenticated API requests. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system configuration. disable-model-invocation is false (normal) so the agent may invoke it autonomously — this is the platform default and not by itself a red flag.
Assessment
This skill appears to be a straightforward CLI client for the Hevy API and only needs your HEVY_API_KEY. Before installing or enabling it: (1) confirm you have a valid Hevy Pro API key and understand its permissions; (2) ensure the 'hevy' binary is present on the agent's PATH (the package includes source but the skill provides no automatic install/build step), or build/install the included package from its source if you trust it; (3) verify the HEVY_API_KEY is scoped appropriately (use least privilege) and avoid sharing it elsewhere; (4) if you want to prevent autonomous calls, restrict agent invocation policy — the skill can be called autonomously by default. If you need help verifying the binary is the official Hevy client, compare the source here with Hevy's official repo or obtain the CLI from an official Hevy release.

Like a lobster shell, security has layers — review code before you run it.

latestvk979cv0q794bdf9d8fm4gf5bcd7z2863

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏋️ Clawdis
Binshevy
EnvHEVY_API_KEY

Comments