OneWave Claude Skills (Workout Designer): why it is not safe to use
OneWave's Workout Designer passed our security and privacy review (98/100), clearing all eight checks with no adverse findings.
What we found
OneWave Claude Skills (Workout Designer), from the `onewave-ai/claude-skills` repository, passed our automated security and privacy review with a score of 98/100. All eight checks returned a passing verdict based on this scan.
- **Prompt injection:** Pure fitness-role instructional text, with no override directives or hidden or encoded blocks.
- **Data exfiltration:** No network calls or outbound data; the skill runs entirely in-conversation.
- **Secrets:** No API keys, tokens, or hardcoded secrets.
- **Dangerous commands:** No shell, `curl`/`wget`, or destructive commands.
- **Obfuscation:** Plain, readable Markdown, with no base64, hex, or invisible unicode.
- **External fetches:** No external URLs or fetch instructions.
- **Credential access:** No environment variable or credential access.
- **Privilege escalation:** Declares no tools, so it cannot execute anything or elevate scope.
What to do instead
No action is required for this finding. As with any skill, review its instructions before use, and note that this reflects the scanned version at review time; a later update would warrant a fresh review.
Source: https://github.com/onewave-ai/claude-skills
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.