RUNSTR Fitness
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s fitness-data purpose is coherent, but it asks users to paste a full Nostr private key into the agent and makes privacy assurances the artifacts do not enforce.
Review carefully before installing. If you use it, do not provide your main Nostr nsec; create a dedicated RUNSTR-only identity or use a safer local decryption method. Treat any decrypted workouts, habits, moods, and journals as sensitive personal information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user provides their main nsec, the agent context receives a credential that could expose private backups and potentially enable actions as that Nostr identity.
The skill requires the user to disclose a full private key to the agent. That key can represent the user’s Nostr identity and decrypt private data, which is broader authority than a scoped read-only fitness token.
Your **nsec** is your Nostr private key... **Tell your bot:** "Here's my RUNSTR nsec: nsec1..."
Do not paste a main Nostr private key into the agent. Use a dedicated RUNSTR-only identity, a scoped/delegated credential, or a local-only decryption flow that never places the private key in chat.
A user may rely on a privacy promise that the skill itself cannot guarantee and may disclose a highly sensitive private key too casually.
The artifact tells users to share the nsec with the bot, but provides no technical control proving it will not be logged, stored in conversation history, or transmitted through the agent/model runtime.
The nsec is never stored, logged, or transmitted — it's used only for the decryption step in your current session.
Revise the instructions to avoid unsupported no-logging/no-transmission guarantees and clearly explain where the nsec will appear, how it is handled, and safer alternatives.
The agent may see intimate health and journal information when helping with coaching or analysis.
The skill clearly discloses that decrypted health, habit, mood, and journal data will be brought into the agent’s working context. This is aligned with the fitness-coaching purpose but is sensitive personal data.
What your bot gets access to: ... Workout history ... Daily habits and streaks ... Journal entries with mood and energy levels ... Daily step counts
Use only with data you are comfortable exposing to the agent session, and prefer a dedicated fitness identity or limited export when possible.
The installed tool may change over time, so behavior could differ from what was reviewed.
The skill installs an external CLI dependency using an unpinned latest version. This is expected for Nostr access, but future package changes would affect the skill.
go | package: github.com/fiatjaf/nak@latest | creates binaries: nak
Pin the dependency to a reviewed version or document the expected nak version.