We checked this and rejected itsecurity

OneWave Claude Skills (Workout Designer): why it is not safe to use

OneWave's Workout Designer passed our security and privacy review (98/100), clearing all eight checks with no adverse findings.

What we found

OneWave Claude Skills (Workout Designer), from the `onewave-ai/claude-skills` repository, passed our automated security and privacy review with a score of 98/100. All eight checks returned a passing verdict based on this scan.

  • **Prompt injection:** Pure fitness-role instructional text, with no override directives or hidden or encoded blocks.
  • **Data exfiltration:** No network calls or outbound data; the skill runs entirely in-conversation.
  • **Secrets:** No API keys, tokens, or hardcoded secrets.
  • **Dangerous commands:** No shell, `curl`/`wget`, or destructive commands.
  • **Obfuscation:** Plain, readable Markdown, with no base64, hex, or invisible unicode.
  • **External fetches:** No external URLs or fetch instructions.
  • **Credential access:** No environment variable or credential access.
  • **Privilege escalation:** Declares no tools, so it cannot execute anything or elevate scope.

What to do instead

No action is required for this finding. As with any skill, review its instructions before use, and note that this reflects the scanned version at review time; a later update would warrant a fresh review.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/onewave-ai/claude-skills

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Go back to ChatGPT or Claude and paste it to teach the skill.