AI Coach · 个人铁三教练 Security Report — Low Risk | ClawSafe

15 /100

AI Coach · 个人铁三教练

智能生成每日训练计划，根据你的比赛目标和身体状态动态调整。支持 TrainingPeaks 和 Garmin 数据集成。

Legitimate triathlon training coach skill with proper TrainingPeaks/Garmin integration. No malicious behavior detected; all operations align with documented functionality.

Skill NameAI Coach · 个人铁三教练

Duration35.3s

Enginepi

✓

Safe to install

Accept for use. The skill requires filesystem:WRITE and network:READ for credential/token caching and API access, which are necessary for its legitimate fitness tracking features.

Findings 2 items

Severity	Finding	Location
Medium	Plain-text credential storage in user_config.json Garmin credentials are stored as plain-text in user_config.json. While documented, this poses risk if the config file is compromised. `{"garmin_email": "...", "garmin_password": "..."}` → Consider using system keyring (keyring library) or prompting for credentials via secure input instead of plain-text storage.	`user_config.json`
Low	Missing version pinning for garminconnect SKILL.md declares 'pip install' without specifying version, allowing automatic upgrades that could introduce breaking changes. `data_fetcher.py \| garminconnect \| pip install` → Pin garminconnect to a specific version (e.g., pip install garminconnect==x.x.x) to ensure reproducible behavior.	`SKILL.md:143`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Config, cookie, and token storage
Network	`READ`	`READ`	✓ Aligned	SKILL.md: TP and Garmin API integration
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`READ`	`READ`	✓ Aligned	tp_client.py:15 - reads TP_AUTH_COOKIE env var

3 findings

🔗

Medium External URL 外部 URL

https://tpstack.trainingpeaks.com

SKILL.md:31

🔗

Medium External URL 外部 URL

https://tpapi.trainingpeaks.com

scripts/tp_client.py:22

📧

Info Email 邮箱地址

[email protected]

SKILL.md:69

File Tree

5 files · 40.9 KB · 1260 lines

Python 3f · 1104L Markdown 1f · 143L JSON 1f · 13L

├─ ▾ 📁 scripts

│ ├─ 🐍 daily_plan.py Python 402L · 14.7 KB

│ ├─ 🐍 data_fetcher.py Python 243L · 7.8 KB

│ └─ 🐍 tp_client.py Python 459L · 14.6 KB

├─ 📝 SKILL.md Markdown 143L · 3.6 KB

└─ 📋 user_config.json JSON 13L · 232 B

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`garminconnect`	`*`	pip	No	Version not pinned - consider pinning for reproducibility

Security Positives

✓ No external script execution (curl|bash, wget|sh)

✓ No credential exfiltration or suspicious network destinations

✓ No base64 encoding, eval(), or obfuscated code

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Token caching uses proper chmod 0o600 permissions

✓ No hidden functionality - all operations match documented behavior

✓ Standard library (urllib) used for HTTP requests, minimizing attack surface

✓ Rate limiting implemented (MIN_REQUEST_INTERVAL = 0.15s)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives