Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Strava Cycling Coach
v1.0.0Track and analyze cycling performance from Strava. Use when analyzing ride data, reviewing fitness trends, understanding workout performance, or providing insights on cycling training. Automatically monitors new rides and provides performance analysis.
⭐ 0· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (Strava ride analysis, monitoring, notifications) matches the code: it uses the Strava OAuth endpoints, activity and streams APIs, caches activities, analyzes power/HR metrics, and can be run on a schedule. The required secrets (client_id/client_secret) are requested via the setup flow and stored in ~/.config/strava/config.json, which is appropriate for a Strava integration.
Instruction Scope
Runtime instructions and scripts only access the user's Strava config (~/.config/strava), a local cache (~/.cache/strava), and the Strava API. They do not attempt to read unrelated system files or unknown remote endpoints. However, SKILL.md/README contain several inconsistent script names (e.g., references to analyze_ride.py and monitor_rides.sh that don't exist), and some examples assume a 'Clawdbot message tool' via subprocess but the provided send function currently prints the message (no Telegram API call). Those mismatches can confuse users and should be corrected.
Install Mechanism
There is no automatic install step or remote code download; all code is bundled with the skill and there is no install spec. That reduces supply-chain risk. The setup.sh script is local and only writes config files under the user's home directory.
Credentials
The skill does not declare required environment variables in registry metadata, but it does optionally read STRAVA_TELEGRAM_CHAT_ID for notifications and asks the user for client_id/client_secret during setup to store in config.json. Requesting Strava credentials is proportional and expected. Be aware the token/credentials are stored on disk (complete_auth.py sets file mode to 0o600).
Persistence & Privilege
The skill does persist user data (config and cache) under ~/.config/strava and ~/.cache/strava and suggests optionally adding a cron job for periodic runs, but it does not request elevated privileges or force installation (always:false). No modifications to other skills or system-wide agent settings are present.
Assessment
This skill appears to do what it claims: it connects to Strava, stores the OAuth client ID/secret and tokens in ~/.config/strava/config.json, caches activities in ~/.cache/strava, and can be scheduled by cron. Before installing or running it: 1) Review the bundled scripts yourself (they are included) and verify network calls are only to Strava (https://www.strava.com). 2) Note the README/SKILL.md refer to a few non-existent filenames (e.g., analyze_ride.py, monitor_rides.sh) — use the actual scripts in the repo (analyze_and_notify.py, monitor_new_rides.py, etc.) or fix the docs. 3) If you expect Telegram notifications, inspect/modify send_telegram_message to use the real Telegram API or your messaging tooling; currently it prints the message and assumes a 'Clawdbot' message tool. 4) Keep your client_secret and saved tokens protected (the setup script sets 0o600 but verify). 5) If you plan to add the cron job, prefer using an absolute path to the script (not relying on $(pwd)) and review the crontab changes before applying. If you want more assurance, run the scripts in an isolated environment (different user account or container) the first time and monitor outbound traffic.Like a lobster shell, security has layers — review code before you run it.
latestvk97dczh1y8dmb17fxhej0cx11x7zxewx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.