Strava
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: strava Version: 1.0.0 The skill bundle is benign. It provides a legitimate integration with the Strava API, requiring standard OAuth credentials (STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET) for its stated purpose. All `curl` commands in SKILL.md and scripts/refresh_token.sh are directed at official Strava API endpoints. There is no evidence of data exfiltration beyond necessary API interaction, malicious execution (e.g., `curl|bash` from external sources), persistence mechanisms, obfuscation, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process using this token can read the connected Strava account’s activity data allowed by that scope.
The OAuth setup asks for Strava activity read-all permission, which is aligned with the skill’s purpose but can grant access to private activity history and fitness metrics.
scope=activity:read_all
Only grant the scope if you are comfortable sharing your Strava activity data with the agent, keep tokens private, and revoke the Strava app if you stop using the skill.
The refreshed access and refresh tokens could be exposed to anyone who can see the command output or logs.
The refresh helper prints newly issued OAuth tokens so the user can update configuration; this is functional but sensitive if terminal output, logs, or chat transcripts are shared.
echo "New access token: $NEW_ACCESS_TOKEN" echo "New refresh token: $NEW_REFRESH_TOKEN"
Run the refresh helper only in a trusted environment, avoid sharing command output, and rotate or revoke tokens if they are exposed.
The agent can retrieve Strava account data through the documented API calls when provided with the token.
The skill uses direct curl commands with a bearer token to call Strava APIs. The examples are expected for this integration and scoped to Strava endpoints.
curl -s -H "Authorization: Bearer ${STRAVA_ACCESS_TOKEN}" \
"https://www.strava.com/api/v3/athlete/activities?per_page=30"Keep use limited to the documented Strava endpoints and review any generated curl command before running it if it differs from the examples.