hevy

SUSPICIOUS. The skill's stated purpose is coherent, and the visible data flow is plausibly to official Hevy services, but its core capability depends on an undocumented bundled binary. Because that executable is unverifiable and it receives the user's Hevy API key, the main risk is supply-chain trust and credential forwarding rather than confirmed malicious behavior.