← Back to Skills Marketplace
398
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install workout-track
Description
Log a strength training session and insert it into the life_db database. Use when the user shares their gym session, exercises, sets, reps, weights, RPE, res...
Usage Guidance
This skill appears to do what it says (insert workouts into a PostgreSQL DB), but it has a few operational and safety issues you should address before installing: (1) It expects DB credentials in ~/.openclaw/services/life-db/.env but the skill metadata doesn't declare required env vars — verify that file exists, contains only the DB credentials needed, and is readable only by you (chmod 600). (2) The SKILL.md runs a bash -c command embedding the JSON payload directly; make sure the agent or integrator correctly shell-escapes JSON (prefer safer approaches like passing JSON on stdin or using a direct process invocation). Without proper escaping, malformed input could lead to command injection. (3) The included Python script requires psycopg2 (and Python); ensure the runtime has those dependencies installed from trusted sources. (4) Test against a non-production or throwaway database first to confirm behavior and avoid accidental data loss. If you need this skill, ask the author to (a) declare required env vars in the metadata, (b) provide a safe invocation that does not inline raw JSON into a shell command, and (c) include explicit dependency/install instructions for psycopg2/Python runtime.
Capability Analysis
Type: OpenClaw Skill
Name: workout-track
Version: 1.0.2
The skill facilitates logging workout data into a PostgreSQL database but is classified as suspicious due to a potential shell injection vulnerability. The `SKILL.md` instructions direct the agent to use `bash -c` to execute a Python script with a JSON payload, a high-risk pattern that relies entirely on the agent's ability to properly shell-escape user-influenced data. Additionally, the workflow involves sourcing sensitive database credentials from a local `.env` file. While the Python script (`scripts/insert_workout.py`) itself is well-implemented with parameterized SQL queries to prevent SQL injection, the integration method via the `exec` tool introduces unnecessary risk.
Capability Assessment
Purpose & Capability
The skill's name/description match its files: a parser + a script that inserts into a 'sport' schema in a PostgreSQL DB. Requesting the 'uv' binary is plausible for the advertised execution method. However, the SKILL.md expects DB credentials in ~/.openclaw/services/life-db/.env but the skill declares no required env vars: this is an inconsistency (credentials are needed but not declared).
Instruction Scope
Runtime instructions tell the agent to source ~/.openclaw/services/life-db/.env and then run a bash -c command that embeds the minified JSON payload directly into the shell invocation. Embedding user-provided JSON into a single-quoted bash -c string is error-prone and risks shell injection if not escaped correctly. The instructions also require reading a user credentials file (the .env) which is outside the skill bundle; that is expected for DB access but should be explicitly declared.
Install Mechanism
There is no install spec (instruction-only) and a small Python script is included. The script depends on psycopg2 but no dependency or installation steps for psycopg2 (or a Python runtime) are declared. The lack of explicit dependency installation means the runtime environment must already satisfy them — this is an operational omission rather than an explicit supply of risky installs.
Credentials
The skill needs PostgreSQL credentials (PGUSER/PGPASSWORD or DATABASE_URL) to work, and SKILL.md points at ~/.openclaw/services/life-db/.env as the credential source, but requires.env is empty. Requesting DB credentials is proportionate to the stated purpose, but the omission of declared env variables and the automatic sourcing of a local .env file (a path in the user's home) should be surfaced to the user.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It runs only when invoked and does not request elevated platform privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install workout-track - After installation, invoke the skill by name or use
/workout-track - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Translate all prompts and examples to English.
v1.0.1
Re-publish with CI fixes.
v0.0.0-pr-check
Slug availability check
v1.0.0
Initial release.
Metadata
Frequently Asked Questions
What is Workout Track?
Log a strength training session and insert it into the life_db database. Use when the user shares their gym session, exercises, sets, reps, weights, RPE, res... It is an AI Agent Skill for Claude Code / OpenClaw, with 398 downloads so far.
How do I install Workout Track?
Run "/install workout-track" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Workout Track free?
Yes, Workout Track is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Workout Track support?
Workout Track is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Workout Track?
It is built and maintained by 𝑠𝑝𝑖𝑑𝑒𝑦 (@spideystreet); the current version is v1.0.2.
More Skills