ClawHub

Strava Python

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Strava helper, but it requests broad Strava read access and stores long-lived credentials in a plaintext local file without permission hardening.

Install only if you are comfortable granting broad read access to Strava data, including private activity and profile data. Treat ~/.strava_credentials.json as a secret, restrict it to your user account, avoid shared or untrusted machines, and revoke the Strava app authorization if the file may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The setup flow tells users that OAuth credentials will be saved locally, but it does not clearly warn about the sensitivity of refresh/access tokens, local compromise risk, or expected file protections. Users may proceed without understanding that these tokens can enable ongoing access to their Strava account data if copied by another process or user.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script stores long-lived Strava secrets and tokens, including the client secret, access token, and refresh token, in a plaintext file under the user's home directory. This creates a real credential-exposure risk if the host is multi-user, backed up insecurely, malware is present, or file permissions are too broad.

Credential Access

High
Category
Privilege Escalation
Content
'client_secret': client_secret
    }

    config_path = os.path.expanduser('~/.strava_credentials.json')
    with open(config_path, 'w') as f:
        json.dump(credentials, f, indent=2)
Confidence
96% confidence
Finding
credentials.json

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal