Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Coach
v1.3.1基于TrainingPeaks和Garmin数据,智能生成个性化铁三训练计划并动态调整,支持每日微信推送和多赛事管理。
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (TrainingPeaks + Garmin coach) match the implementation: tp_client.py talks to tpapi.trainingpeaks.com using a Production_tpAuth cookie; data_fetcher.py uses garminconnect and caches tokens. No unrelated cloud credentials or irrelevant binaries requested.
Instruction Scope
SKILL.md instructs users to extract a TrainingPeaks cookie from browser devtools and to put Garmin email/password into user_config.json; runtime code reads/writes only the described paths (~/.trainingpeaks/*, ~/.garmin_tokens/, skill directory caches). This is scope-consistent but involves manual cookie extraction and storing secrets on disk (sensitive operations) which the user should be aware of.
Install Mechanism
No install spec (instruction-only) and bundled Python scripts are provided. The only external dependency is garminconnect (pip). No remote downloads or execution of fetched archives are present in the package.
Credentials
The skill expects a TrainingPeaks auth cookie (or TP_AUTH_COOKIE env var) and Garmin credentials — both are proportionate to the stated functionality. However credentials are stored in plaintext files (user_config.json and ~/.trainingpeaks/cookie) and cached tokens are written to disk; that increases risk if the host is shared or backups are uploaded.
Persistence & Privilege
Skill does not request always:true or elevated platform privileges. It writes its own cache and token files (~/.trainingpeaks, ~/.garmin_tokens, skill .plan_state) which is normal for client tooling and limited to the user's home/skill directory.
Assessment
This skill appears coherent with its stated purpose, but it requires highly sensitive credentials: a TrainingPeaks 'Production_tpAuth' cookie and your Garmin email/password. Before installing or running it: 1) Only proceed if you trust the source (owner unknown). 2) Inspect tp_client.py and data_fetcher.py yourself (they call only trainingpeaks and Garmin endpoints). 3) Be aware credentials are stored locally (~/.trainingpeaks/cookie, user_config.json) and tokens cached; set strict file permissions (chmod 600) and avoid committing these files to any repo or cloud backup. 4) If possible, create a limited/test Garmin account or use secondary credentials instead of your primary account. 5) Consider running the skill in an isolated environment (container/VM) if you are concerned. 6) If you prefer not to expose raw cookies/passwords, look for an official OAuth/integrated connector or a skill from a verified publisher.Like a lobster shell, security has layers — review code before you run it.
ai-coachvk971vtwsbxqxe20g1cdtjcz8mh844smhgarminvk971vtwsbxqxe20g1cdtjcz8mh844smhlatestvk97bxkj5x1nhycr778y7bkw1t18440nbsportvk971vtwsbxqxe20g1cdtjcz8mh844smhtrainingvk971vtwsbxqxe20g1cdtjcz8mh844smhtriathlonvk971vtwsbxqxe20g1cdtjcz8mh844smh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.