Back to skill

Security audit

Strava

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Strava integration, but it handles sensitive account tokens too casually.

Install only if you are comfortable granting the skill read access to your Strava activity data. Treat all Strava tokens and client secrets as passwords, avoid running the refresh script in logged or shared terminals, do not commit the config file, restrict local file access, and revoke or rotate Strava credentials if any token output is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README instructs users to place sensitive Strava OAuth credentials, including refresh tokens and client secrets, into a local configuration file but does not warn about protecting those secrets or the privacy implications of exposing fitness and profile data. While this file is documentation rather than executable code, the omission can lead users to mishandle long-lived credentials and personal activity data, increasing risk of unauthorized account access if the config is exposed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation instructs users to handle long-lived OAuth credentials and athlete data, but it does not clearly warn that these tokens and outputs are sensitive and should not be logged, shared, or committed to source control. In a fitness-data context, exposed tokens can grant access to private activity history and profile information, increasing privacy risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script prints newly issued access and refresh tokens directly to stdout, which can expose long-lived credentials in terminal scrollback, shell history capture, CI logs, screen recordings, or remote session logging. Because the refresh token can mint future access tokens, disclosure can enable persistent unauthorized access to the user's Strava account data.

Credential Access

High
Category
Privilege Escalation
Content
if [ -n "$NEW_ACCESS_TOKEN" ]; then
  echo "✓ Token refreshed successfully"
  echo "New access token: $NEW_ACCESS_TOKEN"
  echo "New refresh token: $NEW_REFRESH_TOKEN"
  echo "Expires at: $(date -r "$EXPIRES_AT" 2>/dev/null || date -d "@$EXPIRES_AT" 2>/dev/null || echo "$EXPIRES_AT")"
  echo ""
Confidence
99% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.