← 返回 Skills 市场
398
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install workout-track
功能描述
Log a strength training session and insert it into the life_db database. Use when the user shares their gym session, exercises, sets, reps, weights, RPE, res...
安全使用建议
This skill appears to do what it says (insert workouts into a PostgreSQL DB), but it has a few operational and safety issues you should address before installing: (1) It expects DB credentials in ~/.openclaw/services/life-db/.env but the skill metadata doesn't declare required env vars — verify that file exists, contains only the DB credentials needed, and is readable only by you (chmod 600). (2) The SKILL.md runs a bash -c command embedding the JSON payload directly; make sure the agent or integrator correctly shell-escapes JSON (prefer safer approaches like passing JSON on stdin or using a direct process invocation). Without proper escaping, malformed input could lead to command injection. (3) The included Python script requires psycopg2 (and Python); ensure the runtime has those dependencies installed from trusted sources. (4) Test against a non-production or throwaway database first to confirm behavior and avoid accidental data loss. If you need this skill, ask the author to (a) declare required env vars in the metadata, (b) provide a safe invocation that does not inline raw JSON into a shell command, and (c) include explicit dependency/install instructions for psycopg2/Python runtime.
功能分析
Type: OpenClaw Skill
Name: workout-track
Version: 1.0.2
The skill facilitates logging workout data into a PostgreSQL database but is classified as suspicious due to a potential shell injection vulnerability. The `SKILL.md` instructions direct the agent to use `bash -c` to execute a Python script with a JSON payload, a high-risk pattern that relies entirely on the agent's ability to properly shell-escape user-influenced data. Additionally, the workflow involves sourcing sensitive database credentials from a local `.env` file. While the Python script (`scripts/insert_workout.py`) itself is well-implemented with parameterized SQL queries to prevent SQL injection, the integration method via the `exec` tool introduces unnecessary risk.
能力评估
Purpose & Capability
The skill's name/description match its files: a parser + a script that inserts into a 'sport' schema in a PostgreSQL DB. Requesting the 'uv' binary is plausible for the advertised execution method. However, the SKILL.md expects DB credentials in ~/.openclaw/services/life-db/.env but the skill declares no required env vars: this is an inconsistency (credentials are needed but not declared).
Instruction Scope
Runtime instructions tell the agent to source ~/.openclaw/services/life-db/.env and then run a bash -c command that embeds the minified JSON payload directly into the shell invocation. Embedding user-provided JSON into a single-quoted bash -c string is error-prone and risks shell injection if not escaped correctly. The instructions also require reading a user credentials file (the .env) which is outside the skill bundle; that is expected for DB access but should be explicitly declared.
Install Mechanism
There is no install spec (instruction-only) and a small Python script is included. The script depends on psycopg2 but no dependency or installation steps for psycopg2 (or a Python runtime) are declared. The lack of explicit dependency installation means the runtime environment must already satisfy them — this is an operational omission rather than an explicit supply of risky installs.
Credentials
The skill needs PostgreSQL credentials (PGUSER/PGPASSWORD or DATABASE_URL) to work, and SKILL.md points at ~/.openclaw/services/life-db/.env as the credential source, but requires.env is empty. Requesting DB credentials is proportionate to the stated purpose, but the omission of declared env variables and the automatic sourcing of a local .env file (a path in the user's home) should be surfaced to the user.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It runs only when invoked and does not request elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install workout-track - 安装完成后,直接呼叫该 Skill 的名称或使用
/workout-track触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Translate all prompts and examples to English.
v1.0.1
Re-publish with CI fixes.
v0.0.0-pr-check
Slug availability check
v1.0.0
Initial release.
元数据
常见问题
Workout Track 是什么?
Log a strength training session and insert it into the life_db database. Use when the user shares their gym session, exercises, sets, reps, weights, RPE, res... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 398 次。
如何安装 Workout Track?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install workout-track」即可一键安装,无需额外配置。
Workout Track 是免费的吗?
是的,Workout Track 完全免费(开源免费),可自由下载、安装和使用。
Workout Track 支持哪些平台?
Workout Track 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Workout Track?
由 𝑠𝑝𝑖𝑑𝑒𝑦(@spideystreet)开发并维护,当前版本 v1.0.2。
推荐 Skills