Fulcra Context
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with the Fulcra token could potentially read the connected health, calendar, and location data allowed by the account consent.
The skill depends on delegated OAuth access to a Fulcra account, which is expected for this integration but grants access to sensitive personal data.
Requires human's Fulcra account + OAuth2 consent.
Use the narrowest Fulcra consent available, store tokens only in protected secret storage where possible, revoke access when not needed, and avoid exposing the token in logs or chat.
Health patterns, calendar details, and location history could be exposed in later conversations, shared contexts, logs, or agent memory if the user does not restrict handling.
The skill intentionally supplies the agent with highly sensitive personal context that could be reused, summarized, or accidentally shared if agent memory or outputs are not constrained.
Your agent can: ... Check your location ... Read your calendar ... See heart rate / HRV trends
Use this skill only in private sessions, disable unnecessary memory retention, query only the data needed for the task, and require explicit approval before sharing any Fulcra-derived information.
After setup, the agent environment may retain continuing access to Fulcra data until the token is removed or consent is revoked.
The documentation recommends an optional scheduled refresh flow, creating ongoing credential persistence. It is disclosed and user-directed, but it keeps access alive without repeated human interaction.
Set up a cron job that refreshes the token every 12 hours
Only enable scheduled refresh if you need automation, review the token file periodically, remove the cron job when no longer needed, and confirm Fulcra access can be revoked from the account portal.
A future package or dependency change could affect the behavior of the local MCP bridge or client tooling.
The recommended MCP setup runs an external package through npx, and other setup options use uvx or pip. This is normal integration plumbing, but the examples do not pin exact versions.
"command": "npx", "args": ["-y", "mcp-remote", "https://mcp.fulcradynamics.com/mcp"]
Prefer pinned package versions or reviewed releases in production, and install from the linked official sources only.