Strava
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—read Strava data through Strava’s API—but it requires sensitive Strava OAuth credentials and may expose private fitness data if used.
This skill is reasonable for reading and analyzing Strava data, but treat the OAuth tokens like passwords. Grant only the Strava access you are comfortable with, avoid exposing token-refresh output, and revoke the Strava app if you no longer use the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process using this token can read the connected Strava account’s activity data allowed by that scope.
The OAuth setup asks for Strava activity read-all permission, which is aligned with the skill’s purpose but can grant access to private activity history and fitness metrics.
scope=activity:read_all
Only grant the scope if you are comfortable sharing your Strava activity data with the agent, keep tokens private, and revoke the Strava app if you stop using the skill.
The refreshed access and refresh tokens could be exposed to anyone who can see the command output or logs.
The refresh helper prints newly issued OAuth tokens so the user can update configuration; this is functional but sensitive if terminal output, logs, or chat transcripts are shared.
echo "New access token: $NEW_ACCESS_TOKEN" echo "New refresh token: $NEW_REFRESH_TOKEN"
Run the refresh helper only in a trusted environment, avoid sharing command output, and rotate or revoke tokens if they are exposed.
The agent can retrieve Strava account data through the documented API calls when provided with the token.
The skill uses direct curl commands with a bearer token to call Strava APIs. The examples are expected for this integration and scoped to Strava endpoints.
curl -s -H "Authorization: Bearer ${STRAVA_ACCESS_TOKEN}" \
"https://www.strava.com/api/v3/athlete/activities?per_page=30"Keep use limited to the documented Strava endpoints and review any generated curl command before running it if it differs from the examples.