Strava Python
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Strava query skill, but it requests broad Strava read permissions and stores OAuth credentials locally, so it should be reviewed before use.
Before installing, confirm you are comfortable granting broad Strava profile and activity read access, review the permissions shown during Strava OAuth, and protect or remove ~/.strava_credentials.json when you no longer need the skill.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Authorizing this skill may grant access to private profile and activity data, not just the narrow workout summaries a user may expect.
The OAuth setup requests broad Strava read scopes, including all/profile/activity read permissions, while the visible commands are limited to recent activities, stats, and last workout.
scope=['read', 'read_all', 'activity:read_all', 'profile:read_all']
Use the least Strava scopes needed, clearly explain each requested permission, and make private/all-history access an explicit opt-in.
Any local process or agent task that can read this file could reuse the saved Strava credentials until the user revokes them.
The setup saves long-lived OAuth material and the client secret to a local JSON file, with no shown chmod/keychain protection or clear retention limits.
'refresh_token': token_response['refresh_token'], ... 'client_secret': client_secret ... config_path = os.path.expanduser('~/.strava_credentials.json')Store secrets in an OS keychain or restrict the file to the user, avoid saving secrets that are not required, and document how to revoke the Strava app token.
A future package change or compromised dependency could affect the skill's behavior.
The skill depends on installing a third-party Python package by name; this is expected for a Python Strava integration, but no pinned version or lockfile is provided.
pip install stravalib
Install from a trusted environment and prefer a pinned stravalib version or lockfile.
Users may misunderstand why a refresh token is stored or expect safer token lifecycle handling than the code demonstrates.
The documentation claims automatic token refresh, while the reviewed controller code only sets the saved access token and does not show a refresh flow.
✅ **Auto-refresh tokens** - handles OAuth automatically
Either implement token refresh clearly or update the documentation to match the actual credential handling.