Workout Track
v1.0.2Log a strength training session and insert it into the life_db database. Use when the user shares their gym session, exercises, sets, reps, weights, RPE, res...
⭐ 0· 348·0 current·0 all-time
by𝑠𝑝𝑖𝑑𝑒𝑦@spideystreet
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description match its files: a parser + a script that inserts into a 'sport' schema in a PostgreSQL DB. Requesting the 'uv' binary is plausible for the advertised execution method. However, the SKILL.md expects DB credentials in ~/.openclaw/services/life-db/.env but the skill declares no required env vars: this is an inconsistency (credentials are needed but not declared).
Instruction Scope
Runtime instructions tell the agent to source ~/.openclaw/services/life-db/.env and then run a bash -c command that embeds the minified JSON payload directly into the shell invocation. Embedding user-provided JSON into a single-quoted bash -c string is error-prone and risks shell injection if not escaped correctly. The instructions also require reading a user credentials file (the .env) which is outside the skill bundle; that is expected for DB access but should be explicitly declared.
Install Mechanism
There is no install spec (instruction-only) and a small Python script is included. The script depends on psycopg2 but no dependency or installation steps for psycopg2 (or a Python runtime) are declared. The lack of explicit dependency installation means the runtime environment must already satisfy them — this is an operational omission rather than an explicit supply of risky installs.
Credentials
The skill needs PostgreSQL credentials (PGUSER/PGPASSWORD or DATABASE_URL) to work, and SKILL.md points at ~/.openclaw/services/life-db/.env as the credential source, but requires.env is empty. Requesting DB credentials is proportionate to the stated purpose, but the omission of declared env variables and the automatic sourcing of a local .env file (a path in the user's home) should be surfaced to the user.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It runs only when invoked and does not request elevated platform privileges.
What to consider before installing
This skill appears to do what it says (insert workouts into a PostgreSQL DB), but it has a few operational and safety issues you should address before installing: (1) It expects DB credentials in ~/.openclaw/services/life-db/.env but the skill metadata doesn't declare required env vars — verify that file exists, contains only the DB credentials needed, and is readable only by you (chmod 600). (2) The SKILL.md runs a bash -c command embedding the JSON payload directly; make sure the agent or integrator correctly shell-escapes JSON (prefer safer approaches like passing JSON on stdin or using a direct process invocation). Without proper escaping, malformed input could lead to command injection. (3) The included Python script requires psycopg2 (and Python); ensure the runtime has those dependencies installed from trusted sources. (4) Test against a non-production or throwaway database first to confirm behavior and avoid accidental data loss. If you need this skill, ask the author to (a) declare required env vars in the metadata, (b) provide a safe invocation that does not inline raw JSON into a shell command, and (c) include explicit dependency/install instructions for psycopg2/Python runtime.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
Binsuv
latest
𝑠𝑝𝑖𝑑𝑒𝑦@spideystreet
DownloadWorkout Log
Parses strength training sessions from natural or structured input and inserts them into the sport schema of life_db.
Connection
Credentials are in ~/.openclaw/services/life-db/.env.
Workflow
1. Parse the user's message
Extract from free text or structured input:
| Field | Type | Notes |
|---|---|---|
session_date | YYYY-MM-DD | Default: today |
duration_min | int | Total session duration |
feeling | 1–10 integer | Overall session feeling |
notes | string | Optional — program name, injuries, etc. |
exercises[] | array | One object per exercise |
Each exercise:
| Field | Type | Notes |
|---|---|---|
exercise_name | string | Normalize consistently (e.g. "Bench Press", "Squat", "Romanian Deadlift") |
sets | int | Number of working sets |
reps | int | Reps per set (use average if varied) |
weight_kg | float | Working weight — null for bodyweight exercises |
rpe | float | Rate of perceived exertion (1–10), optional |
rest_sec | int | Rest between sets in seconds, optional |
order_in_session | int | Order as mentioned |
notes | string | Optional — tempo, drop sets, supersets, etc. |
2. Confirm with the user
Show a summary before inserting:
📅 {DD/MM/YYYY} · Muscu · {duration} min · Feeling {feeling}/10
• {Exercise 1} — {sets}×{reps} @ {weight} kg
• {Exercise 2} — {sets}×{reps} bodyweight
• …
Save? (yes / no)
3. Insert
Only after confirmation, use the exec tool:
{
"tool": "exec",
"command": "bash -c 'set -a; source ~/.openclaw/services/life-db/.env; uv run --project ~/.openclaw {baseDir}/scripts/insert_workout.py <json>'"
}
Replace <json> with the minified JSON payload (no newlines, properly shell-escaped).
4. Confirm result
On OK — respond with exactly this format, nothing more:
✅ Muscu · {duration} min · Feeling {feeling}/10 · #{session_id}
{comment}
{comment} rules — 1 line, max 60 chars, no emoji:
- feeling ≥ 8 → short hype line
- feeling 5–7 → encouragement
- feeling ≤ 4 → grind acknowledgement
On ERROR — report the error as-is, do not retry without user input.
Examples
| User says | Parsed session |
|---|---|
| "Gym 1h feeling 8. Bench 4x10 80kg, Squat 4x8 100kg, Curl 3x12 15kg" | 3 exercises, 60 min, feeling 8/10 |
| "45 min chest/shoulders. Bench press 5x5 90kg RPE 9, overhead press 4x8 40kg, lateral raises 3x15 10kg" | 3 exercises, 45 min, feeling asked |
| "Quick session 30min: pull-ups 4x8 bodyweight, rows 4x10 60kg" | 2 exercises, 30 min, feeling asked |
Comments
Loading comments...