ClawHub

Strava CLI Skill

v2.2.98

Use the stravacli terminal tool to access Strava data (athlete profile, activities, streams, routes, segments, clubs, gear, uploads) and perform limited writ...

0· 422·0 current·0 all-time
byRaxat@brainsoft-raxat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md: it tells the agent to use the external stravacli tool to read and (with confirmation) write Strava data. No unrelated credentials, binaries, or paths are requested.
Instruction Scope
Instructions only tell the agent to install and run stravacli commands (read commands by default, explicit confirmation for write commands). The SKILL.md does not instruct reading arbitrary system files or sending data to unexpected endpoints. It does reference local files for uploads/exports and the CLI's auth flows, which is appropriate for a CLI integration.
Install Mechanism
There is no automatic install; the doc points to GitHub releases or go install. Both are reasonable but require trusting the third‑party repository and any released binaries.
Credentials
The skill requests no environment variables and relies on the CLI's own OAuth authentication for Strava tokens — appropriate and proportional for the described functionality.
Persistence & Privilege
Skill is instruction-only, not always-enabled, and does not request elevated system presence or modify other skills. Normal autonomous invocation is allowed (platform default).
Assessment
This skill is a thin wrapper that instructs the agent to call the external stravacli CLI. Before installing or following its instructions: (1) review the GitHub repo and release artifacts you will install (check source and release integrity) because installing binaries or running `go install` executes third‑party code; (2) be aware stravacli will perform OAuth and store tokens locally—know where tokens are saved and protect/revoke them if needed; (3) the skill will only perform writes if you confirm, but double-check any upload/update commands before approving; (4) if you need headless auth, avoid exposing callback URLs you don't control, as that may leak tokens. If any of these points are unacceptable, do not install or run the external CLI.

Like a lobster shell, security has layers — review code before you run it.

latestvk97532xn3c8cgjmvfz6ph1p3wx8259tf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments