Strava CLI Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill coherently wraps the Strava CLI, but users should notice that it requires installing an external tool and authorizing access to Strava data with limited write capability.
Before installing, verify the external stravacli source, understand the Strava permissions granted during login, and require explicit confirmation before any activity update or upload.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may use your Strava authorization to read fitness, route, and activity information that can include sensitive location and health-related data.
The skill requires authenticating to Strava and can access personal Strava account data such as profile, activities, routes, and uploads. This is expected for the stated purpose, but it is sensitive delegated account access.
Authenticate before data commands: `stravacli auth login` ... Athlete profile ... activities ... routes ... uploads
Only authorize the CLI if you trust the external tool and are comfortable granting it Strava account access; review the Strava permissions requested during login.
If used incorrectly, the agent could update an activity or upload an activity file to your Strava account.
The skill documents Strava account mutation commands, including upload with `--yes`, but also explicitly requires confirmation before writes. This is purpose-aligned but user-visible because it can change account data.
Write commands (ask/confirm first) ... `stravacli activities update <id>` ... `stravacli activities upload --file ./run.fit --yes --json` ... Always confirm intent before write actions.
Confirm every write action explicitly, including the target activity ID, new metadata, and upload file path before allowing the command.
The behavior depends on whatever version of the external CLI you install, which may change over time.
The skill instructs users to install an external CLI from a moving latest release or Go @latest. This is disclosed and central to the skill, but the artifact does not pin a version or checksum.
Download latest from: https://github.com/Brainsoft-Raxat/strava-cli/releases/latest ... `go install github.com/Brainsoft-Raxat/strava-cli/cmd/stravacli@latest`
Install from the official repository, prefer a specific reviewed release when possible, and verify the binary before authenticating.