Polar MCP
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or authenticating may run external package code that can interact with Polar credentials and data.
The setup path runs an external npm package that is not included or version-pinned in the reviewed artifacts. This is purpose-aligned for an MCP connector, but the user must trust that package before authenticating.
`npx -y polar-mcp-unofficial setup` ... `npx -y polar-mcp-unofficial auth`
Verify the npm package and GitHub repository, consider pinning a known-good version, and run setup only in a trusted environment.
A connected agent or MCP server may be able to access Polar account data within the granted OAuth scope.
The skill requires delegated Polar OAuth access and stores tokens locally. This is expected for Polar AccessLink, but it grants access to a user’s Polar account data.
`npx -y polar-mcp-unofficial auth` ... `Polar OAuth tokens stay under ~/.polar-mcp/.`
Authenticate only if you trust the MCP package and client, protect the local token directory, and revoke Polar access if you stop using it.
Fitness, sleep, HRV, sample, and route/GPS data could enter the agent’s working context or outputs.
The skill is designed to expose sensitive Polar data through an MCP-compatible agent interface. This is the intended purpose, but users should ensure the receiving agent/client is trusted.
Connect an MCP-compatible agent to Polar AccessLink training, sleep, Nightly Recharge, PPI/HRV, route, and sample data.
Use trusted MCP clients only, keep route/GPS access opt-in, and run privacy_audit or manifest checks before exposing data.