ClawHub

Strava

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Strava integration, but it handles live OAuth tokens too casually and should be reviewed before use.

Install only if you are comfortable giving the skill Strava OAuth access. Treat the config values and refresh tokens as secrets, do not commit or share them, restrict config file permissions, avoid running token refresh commands in logged environments, and rotate/revoke Strava credentials if any token output was exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place long-lived Strava access tokens, refresh tokens, client ID, and client secret directly into a local JSON config without any warning about their sensitivity or guidance on file permissions, secret isolation, or rotation. If that config is exposed through backups, local compromise, logs, screenshots, or accidental commit, an attacker could access the user's Strava account data and refresh tokens to maintain access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs users to retrieve athlete profile, activity, and workout data from Strava, which can reveal sensitive fitness, location, and behavioral information. Without an explicit privacy warning or guidance on minimizing scope and handling exported data safely, users may expose personal data more broadly than intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs users to store access tokens, refresh tokens, client IDs, and client secrets in configuration or environment variables but does not warn about secret handling risks. Compromise of these credentials could allow unauthorized API access, token refresh, and continued access to sensitive athlete data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the newly issued access token and refresh token directly to stdout. This is dangerous because terminal output is often captured in shell history, CI/CD logs, remote session transcripts, or monitoring systems, which can leak long-lived credentials and enable unauthorized access to the user's Strava account.

Credential Access

High
Category
Privilege Escalation
Content
if [ -n "$NEW_ACCESS_TOKEN" ]; then
  echo "✓ Token refreshed successfully"
  echo "New access token: $NEW_ACCESS_TOKEN"
  echo "New refresh token: $NEW_REFRESH_TOKEN"
  echo "Expires at: $(date -r "$EXPIRES_AT" 2>/dev/null || date -d "@$EXPIRES_AT" 2>/dev/null || echo "$EXPIRES_AT")"
  echo ""
Confidence
98% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal