Strava CLI Skill
v2.2.98Use the stravacli terminal tool to access Strava data (athlete profile, activities, streams, routes, segments, clubs, gear, uploads) and perform limited writ...
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the SKILL.md: it tells the agent to use the external stravacli tool to read and (with confirmation) write Strava data. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
Instructions only tell the agent to install and run stravacli commands (read commands by default, explicit confirmation for write commands). The SKILL.md does not instruct reading arbitrary system files or sending data to unexpected endpoints. It does reference local files for uploads/exports and the CLI's auth flows, which is appropriate for a CLI integration.
Install Mechanism
There is no automatic install; the doc points to GitHub releases or go install. Both are reasonable but require trusting the third‑party repository and any released binaries.
Credentials
The skill requests no environment variables and relies on the CLI's own OAuth authentication for Strava tokens — appropriate and proportional for the described functionality.
Persistence & Privilege
Skill is instruction-only, not always-enabled, and does not request elevated system presence or modify other skills. Normal autonomous invocation is allowed (platform default).
Assessment
This skill is a thin wrapper that instructs the agent to call the external stravacli CLI. Before installing or following its instructions: (1) review the GitHub repo and release artifacts you will install (check source and release integrity) because installing binaries or running `go install` executes third‑party code; (2) be aware stravacli will perform OAuth and store tokens locally—know where tokens are saved and protect/revoke them if needed; (3) the skill will only perform writes if you confirm, but double-check any upload/update commands before approving; (4) if you need headless auth, avoid exposing callback URLs you don't control, as that may leak tokens. If any of these points are unacceptable, do not install or run the external CLI.Like a lobster shell, security has layers — review code before you run it.
latest
stravacli
Use stravacli for Strava operations from terminal.
Prerequisites
This skill depends on the external CLI project:
Install stravacli before using this skill:
- Recommended (release binary):
- Download latest from: https://github.com/Brainsoft-Raxat/strava-cli/releases/latest
- Or with Go:
go install github.com/Brainsoft-Raxat/strava-cli/cmd/stravacli@latest
Then verify binary is available in PATH:
stravacli --version
Setup
- Authenticate before data commands:
- Local:
stravacli auth login - Headless/VPS:
stravacli auth login --remote, then complete withstravacli auth login --auth-url '<callback-url>'
- Local:
- Verify auth:
stravacli auth status
Read commands (preferred by default)
- Athlete profile:
stravacli athlete me --json - Athlete stats:
stravacli athlete stats --json - Athlete zones:
stravacli athlete zones --json - List activities:
stravacli activities list --per-page 10 --json - Activity details:
stravacli activities get <id> --json - Activity laps:
stravacli activities laps <id> --json - Activity streams:
stravacli activities streams <id> --json - Routes list/get:
stravacli routes list --json/stravacli routes get <id> --json - Export route file:
stravacli routes export <id> --format gpx --out ./route.gpx - Segments/starred/explore:
stravacli segments starred --json,stravacli segments explore --bounds <swlat,swlng,nelat,nelng> --json - Clubs:
stravacli clubs list --json - Gear:
stravacli gear get <id> --json - Upload status:
stravacli uploads get <uploadId> --json
Write commands (ask/confirm first)
- Update activity metadata:
stravacli activities update <id> --name 'New name' --description '...' - Upload activity file:
stravacli activities upload --file ./run.fit --yes --json
Always confirm intent before write actions.
Output conventions
- Use
--jsonwhen results need parsing or reuse. - Keep user summaries concise; include key metrics and IDs.
- If a command fails with auth errors, suggest
stravacli auth statusthen re-login.
Comments
Loading comments...
