ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fit-Mate

v1.0.1

TRIGGER when: user asks about workout plans, exercise routines, fat loss, muscle gain, body recomposition, meal planning for fitness, calorie or macro tracki...

0· 53·0 current·0 all-time
by@tankeito
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included documentation, persona, training and nutrition references, and PDF report templates. The included scripts and data-schema clearly support generating plans, logs, progress summaries and weekly PDF reports — these are expected for a fitness-coach skill.
Instruction Scope
SKILL.md explicitly instructs the agent to read local reference files and to store runtime data under {baseDir}/data/. This is within scope for a coaching skill but requires the agent to have file read/write access to the skill directory. The instructions do not ask for unrelated system files, credentials, or external data exfiltration.
Install Mechanism
There is no declared install spec, but scripts/render_weekly_report_pdf.py bootstraps a local virtualenv (.pdfgen-venv) and runs pip install reportlab if not present. That will cause network access to PyPI and write a virtualenv into the skill directory. This is a reasonable implementation for on-demand PDF generation but is a notable side-effect (downloads code at runtime and creates files).
Credentials
The skill requires no environment variables, no credentials, and no special config paths. Its data schema and file access needs are proportional to the stated functionality (storing user_profile, logs, caches, and reports locally).
Persistence & Privilege
always is false and the skill does not request elevated or cross-skill configuration changes. It will create local artifacts (.pdfgen-venv, lock files, data/ entries, and weekly_reports PDFs) inside the skill directory; that is expected behavior for this functionality.
Assessment
This skill appears to do what it claims, but note two practical points before installing: (1) the PDF renderer will create a .pdfgen-venv in the skill directory and run pip to install 'reportlab' (network access to PyPI) the first time a PDF is generated — expect downloads and file creation; (2) the skill reads and writes local files under the skill folder (data/, cache/, weekly_reports/). If you have sensitive data, run the skill in a sandbox or inspect/clear the data/ directory before/after use. No credentials or external endpoints are requested by the skill itself. If you want greater assurance, review the render_weekly_report_pdf.py script and the references files locally before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cz2wy6zrg6r6xx5n77syst583ybmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💪 Clawdis
OSmacOS · Linux · Windows

Comments