中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:2 days ago Rescan
15 /100
workout-tracker
Personal fitness tracker - records workout data, parses movements/sets/reps/weight, writes to local MySQL database
A legitimate fitness tracking skill with proper SQL injection protection, local-only database access, and parameterized queries. The placeholder passwords in documentation are clearly marked as examples for user replacement.
Skill Nameworkout-tracker
Duration36.8s
Enginepi
Safe to install
No immediate action required. The skill follows security best practices. Consider updating documentation to use more visibly placeholder-style passwords (e.g., 'REPLACE_WITH_YOUR_PASSWORD') to reduce confusion.

Findings 2 items

Severity Finding Location
Low
Placeholder passwords in documentation Doc Mismatch
SKILL.md and TOOLS.md contain example passwords like 'your_secure_password' and 'temporary_password'. While clearly marked as placeholders, using more distinctive placeholder format (e.g., '<YOUR_PASSWORD>') would improve clarity.
MYSQL_PASSWORD="your_secure_password"
→ Use clearly identifiable placeholder format like 'YOUR_PASSWORD_HERE' or '<REPLACE_ME>' in documentation.
 SKILL.md:30
Info
Reads .env configuration file Sensitive Access
Both Python scripts load configuration from .workout-tracker.env file if present. This is documented behavior for convenience.
load_env_file(env_file='.workout-tracker.env')
→ This is expected and documented behavior. Ensure .env files are in .gitignore.
 scripts/init_database.py:89
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned Reads .env files for config loading, documented in SKILL.md
Network READ READ ✓ Aligned package.json repository URL only, no runtime network access
Shell NONE NONE No shell execution in Python scripts
Environment READ READ ✓ Aligned Reads MYSQL_* env vars for database connection
Skill Invoke NONE NONE No skill invocation detected
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database WRITE WRITE ✓ Aligned Local MySQL via unix_socket only, fully documented
3 High 4 findings
🔑
High API Key 疑似硬编码凭证
PASSWORD="your_secure_password"
SKILL.md:30
🔑
High API Key 疑似硬编码凭证
PASSWORD="your_secure_password_here"
SKILL.md:91
🔑
High API Key 疑似硬编码凭证
PASSWORD="temporary_password"
TOOLS.md:66
🔗
Medium External URL 外部 URL
https://clawhub.ai/query1988/workout-tracker
package.json:18

File Tree

6 files · 40.7 KB · 1267 lines
Markdown 3f · 848L Python 2f · 361L JSON 1f · 58L
├─ 📁 scripts
│ ├─ 🐍 init_database.py Python 202L · 6.3 KB
│ └─ 🐍 verify_setup.py Python 159L · 5.3 KB
├─ 📋 package.json JSON 58L · 1.4 KB
├─ 📝 README.md Markdown 136L · 3.9 KB
├─ 📝 SKILL.md Markdown 552L · 19.5 KB
└─ 📝 TOOLS.md Markdown 160L · 4.3 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
mysql-connector-python * pip No Version not pinned but package is from Oracle, widely used

Security Positives

✓ All SQL queries use parameterized statements preventing SQL injection
✓ Local-only database connection via unix socket, no remote access
✓ Database user follows least privilege principle (INSERT/SELECT/UPDATE/DELETE only)
✓ Strong input validation documentation with clear do/don't examples
✓ No hardcoded credentials in Python scripts
✓ No network exfiltration or C2 communication detected
✓ No obfuscation or encoded payloads found
✓ No sensitive file path access (ssh, aws credentials, etc.)
✓ Comprehensive security audit checklist in documentation
✓ Error messages do not leak database structure