ClawHub

Fulcra Context

v1.2.0

Access your human's personal context data (biometrics, sleep, activity, calendar, location) via the Fulcra Life API and MCP server. Requires human's Fulcra account + OAuth2 consent.

1· 1.7k·0 current·0 all-time
by@arc-claw-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (access Fulcra personal data) matches what it requests (FULCRA_ACCESS_TOKEN) and the included code calls the Fulcra API. However, the registry metadata only declares 'curl' as a required binary while SKILL.md and the included script expect python3/pip (and use of npx/uvx for MCP server integration). That mismatch is an implementation oversight that could surprise users but is not by itself malicious.
Instruction Scope
SKILL.md stays on-topic: it describes obtaining an OAuth2 token, storing it locally, using it in API calls to api.fulcradynamics.com, and running the provided fulcra_auth.py for device flow and refresh. It does instruct storing tokens to ~/.config/fulcra/token.json and printing tokens into the environment for piping (export FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)). Those behaviors are expected for this purpose but raise operational risk: the token-printing/cron-refresh pattern increases the chances of accidental token exposure if logs, backups, or shared shells capture the token. The skill does not instruct reading unrelated system files or sending data to domains other than the Fulcra endpoints and the Auth0 domain.
Install Mechanism
There is no install spec (instruction-only) and the repository includes the Python script locally, so nothing unknown is automatically downloaded by the skill itself. SKILL.md references pip install fulcra-api and using npx/uvx to run an MCP server; those commands can pull network code at install/run-time if the user follows them. That is a normal developer flow but the user should be aware that npx/uvx will fetch remote packages when invoked.
Credentials
Only a single primary credential is declared (FULCRA_ACCESS_TOKEN), which is appropriate for the stated purpose. The included code stores both access and refresh tokens locally to support silent refresh; that is proportionate for an OAuth2 client but increases the persistence of access (refresh tokens allow long-lived access) and thus should be considered a sensitive secret.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It writes token state to its own config path (~/.config/fulcra/token.json) and does not modify other skills' configs. The autonomous invocation default is allowed but not combined with elevated privileges here.
What to consider before installing
This skill appears to do what it says (connect to Fulcra and read personal metrics), but before installing you should: 1) Verify you trust the Fulcra project and the referenced GitHub/MCP endpoints; 2) Confirm you have Python3 and pip if you plan to use the included script (the registry only listed 'curl' which is incomplete); 3) Understand that the included script stores a refresh_token locally (~/.config/fulcra/token.json) and can refresh access without a human — treat that file as highly sensitive and ensure file permissions and backups are protected; 4) Avoid placing token output into logs or shared shells (the helper can print the token for piping — this is convenient but risky); 5) If you deploy a cron job to auto-refresh, ensure the cron environment can't leak the token to other users or uploads; 6) Prefer least-privilege (only request the metrics you need) and be ready to revoke the refresh token from your Fulcra account if you suspect compromise. If you need higher assurance, ask the maintainer for a formal provenance link (official repository release/tag) and a reproducible install spec that lists all required binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97498832340xbcdss54aeys0980be56

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🫀 Clawdis
Binscurl
Primary envFULCRA_ACCESS_TOKEN

Comments