Strava
v1.0.0Load and analyze Strava activities, stats, and workouts using the Strava API
⭐ 9· 2.6k·11 current·11 all-time
byBohdan Podvirnyi@bohdanpodvirnyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (Strava API access) matches what the files do: curl calls to Strava endpoints and a token-refresh helper. However, the registry metadata claims no required environment variables while SKILL.md (and the refresh script) require STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. The mismatch between declared registry requirements and actual runtime needs is an inconsistency to resolve.
Instruction Scope
Runtime instructions stay within the Strava API domain: they show how to call GET endpoints, how to refresh tokens, and how to store credentials in ~/.clawdbot/clawdbot.json or environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to non-Strava endpoints. Note: they do instruct storing sensitive tokens in a local config file (or printing them), which is a sensitive operation.
Install Mechanism
There is no remote install step or downloaded code; this is instruction-only plus a small included script. That keeps the install risk low — nothing is fetched from arbitrary URLs or installed to system paths.
Credentials
The credentials requested by the SKILL.md and the refresh_token.sh (access token, refresh token, client id, client secret) are appropriate for a Strava integration, but the skill manifest/registry metadata does not declare them. Also SKILL.md metadata marks only STRAVA_ACCESS_TOKEN as primaryEnv while the script requires additional secrets. The skill suggests writing secrets to ~/.clawdbot/clawdbot.json (plaintext config) and the refresh script prints new tokens to stdout — both are sensitive practices and should be considered before use.
Persistence & Privilege
The skill is not always:true and does not request system-level persistence beyond advising adding secrets to the Clawdbot config or environment variables. Autonomous invocation is allowed by default (not a unique privilege). The skill does not try to modify other skills' configs.
What to consider before installing
This skill appears to do what it says (call the Strava API and refresh tokens) but there are metadata inconsistencies and sensitive credential handling to consider before installing:
- Metadata mismatch: the registry claims no required env vars but the SKILL.md and included script clearly need STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. Ask the publisher to correct the manifest so required permissions are explicit.
- Secrets handling: the README/SKILL.md suggests storing tokens in ~/.clawdbot/clawdbot.json (plaintext). The included refresh_token.sh prints new tokens to stdout rather than securely storing them. Prefer setting secrets via environment variables or a secure secrets store; if you must use the config file, restrict its filesystem permissions (chmod 600).
- Review the script before running: the refresh script is short and readable, but you should inspect it locally to confirm it only calls Strava and does not send data elsewhere.
- Trust and provenance: the source is listed as unknown. Only provide your Strava client secret and refresh token to skills from publishers you trust. If you have doubts, create a Strava app with limited scope or a throwaway account for testing.
If the publisher updates the registry metadata to accurately list required env vars and documents secure handling of tokens (or implements a safe automatic config update mechanism), the concerns would be reduced.Like a lobster shell, security has layers — review code before you run it.
latestvk977wdetkpd1y3d8gqef9nceqn7ypbyy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏃 Clawdis
Binscurl
EnvSTRAVA_ACCESS_TOKEN
Primary envSTRAVA_ACCESS_TOKEN