hevy
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill communicates with the official Hevy API at
https://api.hevyapp.com. This is a legitimate well-known service domain for the skill's stated purpose. - [DATA_EXFILTRATION]: No unauthorized data exfiltration was detected. The
HEVY_API_KEYis correctly handled via environment variables and is only transmitted to the authoritative API endpoint in theapi-keyheader. - [COMMAND_EXECUTION]: The CLI tool performs standard file system read operations when using the
--fileflag in thecreate-routineandupdate-routinecommands. These operations are gated by the agent's file access permissions and intended for processing user-provided workout data. - [SAFE]: The codebase is transparent, uses standard dependencies (
commander), and does not contain any obfuscated code or prompt injection patterns.
Audit Metadata