Strava MCP
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup command will execute code from the npm package, so the user's local environment and Strava authorization flow depend on that external package being trustworthy.
The setup guidance runs an external npm package via npx without pinning a version, and the reviewed artifact set does not include that package's code.
`npx -y strava-mcp-unofficial setup` ... `npx -y strava-mcp-unofficial auth`
Verify the npm package and linked repository before running setup; consider pinning a known-good version if your MCP client configuration supports it.
If mishandled, Strava tokens or private account data could expose the user's fitness, route, or profile information.
The skill expects authentication material and private account data to be involved. This is normal for a Strava connector, but it is sensitive authority.
Do not print OAuth tokens, API keys, service-account JSON, local token files, or private user data.
Authorize only the Strava account and scopes you intend to use, do not paste tokens into chats, and revoke the app's access if you no longer need it.
A connected agent may be able to retrieve private Strava activity and GPS data through the MCP server.
The skill is meant to expose Strava data through an MCP-compatible agent interface. This is purpose-aligned, but the data can include sensitive health and location information.
Connect an MCP-compatible agent to local Strava activities, streams, routes, athlete stats, gear, and clubs.
Use this only with MCP clients you trust, keep location-level payloads opt-in, and run status/privacy-audit or dry-run surfaces before allowing broader access.