ClawHub

Strava Python

v1.0.0

Query Strava activities, stats, and workout data using Python/stravalib with interactive setup

0· 1k·1 current·1 all-time
by@abclark
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), pip dependency (stravalib), and included scripts (setup.py, strava_control.py) are coherent for a Strava Python client. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md instructs the user to create a Strava app, run an interactive setup, and save OAuth tokens to ~/.strava_credentials.json — this matches the included setup.py which performs those actions. However a pre-scan found 'unicode-control-chars' in SKILL.md (a prompt-injection indicator), which is unexpected and should be inspected; otherwise the runtime instructions stay within the stated purpose and do not attempt to read unrelated system files or environment variables.
Install Mechanism
There is no arbitrary download/install script — the metadata/instructions use pip to install the well-known 'stravalib' package. This is a standard install mechanism for a Python skill and proportional to the task.
Credentials
The skill does not require environment variables and instead asks interactively for your Strava Client ID/Secret and stores tokens locally. That is reasonable for this purpose, but the setup writes client_secret, access_token and refresh_token in plaintext to ~/.strava_credentials.json — expected for a simple tool but a sensitive practice. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true nor modify other skills or system-wide settings. It creates one file in the user's home (~/.strava_credentials.json) to persist its own credentials, which is expected behavior for this type of tool.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md triggered a 'unicode-control-chars' prompt-injection detector. The skill otherwise behaves as a normal Strava client, so this finding may be an attempt to hide or manipulate text in the skill description/instructions. Inspect SKILL.md for hidden/invisible characters before trusting or displaying its content in automated contexts.
What to consider before installing
This skill appears to be a straightforward Python Strava client and the included code implements the behavior described. Before installing: 1) Inspect SKILL.md and the two Python files yourself (or have someone you trust review them) — the pre-scan flagged hidden unicode control characters which are not expected. 2) Be aware the setup stores your client_secret, access_token, and refresh_token in plaintext at ~/.strava_credentials.json; if you proceed, restrict file permissions (chmod 600) or use a secure secrets store. 3) Verify you install the legitimate 'stravalib' package from PyPI and that you trust the skill source (the registry 'owner id' is not a public GitHub link). 4) Consider running the setup in a sandboxed environment first (or manually perform the OAuth steps via browser and paste tokens) if you are uncertain. 5) Do not paste credentials into public channels and revoke the Strava app credentials if you later suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d8r207d43xw0gtqhm9t38m9810twe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏃 Clawdis
Binspython3

Comments