ClawHub

Fitbit Tracker

v0.2.2

Personal Fitbit integration for daily health tracking with adaptive sleep and activity reporting

2· 105·0 current·0 all-time
by@crabsticksalad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Fitbit integration) match the included scripts and docs. Required binaries (python3), required env vars (FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_REDIRECT_URI, optional FITBIT_TZ) are appropriate for OAuth-based Fitbit API access.
Instruction Scope
SKILL.md instructs the agent to run the included scripts (oauth login, fetch, normalize, render). Those scripts only access Fitbit endpoints (api.fitbit.com), local token files, and local temp files; they do not reference unrelated system files, other credentials, or external endpoints beyond Fitbit.
Install Mechanism
No install spec; this is an instruction-only skill with bundled Python scripts that rely on the standard library only. Nothing is downloaded from third-party URLs or installed silently.
Credentials
Declared environment variables are exactly the OAuth client ID/secret/redirect URI and an optional timezone; these are necessary and proportionate. The scripts only read these vars (and optionally FITBIT_SCOPES and FITBIT_TOKEN_PATH) as expected.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It stores tokens to a local path (~/.config/openclaw/fitbit/token.json by default) which is normal for an OAuth client; it does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: a local Fitbit OAuth client and renderer. Before installing, ensure you: (1) create a Fitbit developer app and keep the Client Secret private; (2) set FITBIT_REDIRECT_URI to a safe local URL (loopback) or your chosen redirect endpoint; (3) understand tokens will be stored on disk by default at ~/.config/openclaw/fitbit/token.json (you can override with FITBIT_TOKEN_PATH); (4) review scopes (activity, sleep, heartrate, profile, weight) and only grant what you are comfortable sharing; and (5) be aware the scripts will make network calls to api.fitbit.com and respect Fitbit rate limits. If you need higher assurance, inspect the token file after authentication and verify file permissions (save_token attempts 0o600).

Like a lobster shell, security has layers — review code before you run it.

latestvk974hhzdn45hdc44x4rbh81x7583mmsh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💪 Clawdis
Binspython3

Comments