ClawHub

Fit-Mate

Security checks across malware telemetry and agentic risk

Overview

Fit-Mate is a coherent fitness coach, but it needs review because it stores sensitive health data and its PDF feature can automatically install an unpinned Python dependency.

Review before installing. Use it only if you are comfortable storing fitness, food, sleep, weight, injury, medication, and wearable data in the local skill data folder. Treat the coach persona as unverified, not as a licensed medical or nutrition professional. Avoid the PDF feature unless you accept that it may create a local Python environment and download ReportLab from pip.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
        )
        subprocess.run(
            [str(venv_python), "-m", "pip", "install", "--disable-pip-version-check", "reportlab"],
            check=True,
        )
Confidence
93% confidence
Finding
subprocess.run( [str(venv_python), "-m", "pip", "install", "--disable-pip-version-check", "reportlab"], check=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions while explicitly instructing the runtime to read local files and invoke a bundled script for PDF generation, which implies file-read and shell/process execution capability. This mismatch undermines least privilege and can cause operators or users to approve a skill without understanding that it can access local data and run code paths that install packages or generate files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a conversational fitness coach, but its instructions also cover filesystem writes, PDF generation, virtual-environment creation, package installation, and release/archive creation behaviors not disclosed in the user-facing description. Hidden operational capabilities increase the chance of unsafe execution, unexpected persistence, and supply-chain exposure because reviewers may underestimate what the skill actually does.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Automated virtual-environment bootstrapping and package installation create an unnecessary code-execution and supply-chain risk for a fitness coaching skill. If triggered, the skill may install dependencies from package repositories and run local scripts, expanding the attack surface far beyond normal conversational coaching and data logging.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference goes beyond general fitness logging and interprets cardiovascular and recovery signals such as HR recovery, resting HR trends, HRV, sleep impairment, and VO2 Max in ways that can be perceived as health assessment. In a skill whose manifest explicitly excludes medical diagnosis and clinical guidance, this creates a scope boundary failure: users may rely on quasi-medical interpretations or training advice derived from potentially inaccurate wearable data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The adjustment rules prescribe actions such as lifting heavier, enforcing training changes, deloading, and modifying volume based on biometrics without first ensuring the user is safe for that advice. Because the skill is supposed to collect injuries/medical conditions first and avoid clinical-style guidance, these unconditional rules could produce unsafe recommendations for users with contraindications, overtraining, cardiovascular concerns, or other health limitations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill's declared purpose is generating weekly fitness reporting, but this block also provisions a virtual environment, installs packages, acquires lock files, and re-executes the process. That mismatch matters because hidden environment modification and dependency installation increase attack surface and user surprise beyond what is justified by the skill context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Package management at runtime is an unjustified capability escalation for this skill: it can reach the network, alter the local environment, and execute installer logic. In the context of a fitness-report generator, these actions are unnecessary during normal operation and increase supply-chain and operational risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill collects sensitive health-related data including injuries, medical conditions, medications, weight, diet restrictions, and location, then persists it locally without an explicit upfront privacy notice, retention policy, or consent flow. This creates confidentiality and compliance risk because users may disclose special-category personal data without understanding it will be stored on disk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Multiple commands persist detailed food, hydration, sleep, workout, body-weight, recovery, and wearable data to local files and caches, but the skill does not present a clear privacy, retention, or deletion disclosure to the user. Longitudinal health and behavior logs are highly sensitive, and silent storage increases the risk of unauthorized access, profiling, or unintended reuse.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The default prompt broadly advertises the skill for training, nutrition logs, and fitness reports without encoding the tighter trigger exclusions from the skill metadata. Combined with implicit invocation, this can cause the agent to activate on generic fitness-related requests, including edge-adjacent cases that should be screened out first, increasing the chance of unsafe or out-of-scope coaching behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically installing a package from the network without user-facing warning or approval is dangerous because it introduces implicit code acquisition and dependency trust at execution time. If the package source, mirror, or trust configuration is compromised, the script could pull and execute malicious content while performing an otherwise routine reporting task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal