🏃 Coros
v0.1.0COROS 高驰跑步数据获取(跑步专项): - 自动登录 COROS 账号(支持 Token/Cookie 缓存) - 获取 Dashboard(训练状态、负荷分析、最近运动) - 获取活动列表与活动详情(含分圈、天气、训练效果) - 获取训练日程与训练目标汇总 触发词示例: - "查看高驰跑步数据" - "我的...
⭐ 1· 102·0 current·0 all-time
by@doaspx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match behavior: the skill logs into COROS (using account/p1/p2 or cookies), reads dashboard, activities, activity details and training schedules, and exposes schedule write operations. The required artifacts (config.json with COROS account hashes and cookies) are proportional to these capabilities.
Instruction Scope
SKILL.md and main.py focus on COROS API calls and local config. The skill caches tokens/cookies to config.json and supports schedule write operations; by default preview/auto_apply=false is used, but the code supports making writes if configured. Users should be aware the skill reads/writes a local config file that contains sensitive data and controls whether writes occur.
Install Mechanism
No install spec (instruction-only with an included Python script). This has low installation risk — nothing is downloaded from arbitrary URLs or installed automatically.
Credentials
The skill does not request unrelated environment variables or external credentials; it expects credentials stored in a local config.json (account, p1/p2 hashes, cookies). Storing secrets in config.json is functional but requires care to avoid accidental exposure.
Persistence & Privilege
always:false and agent-autonomy defaults are normal. The skill persists its own token/cookie/state by writing to config.json (saving token, user_id, saved_cookie). This is limited to its own config file and does not modify other skills or global agent config.
Assessment
This skill appears coherent for reading COROS data, but take these precautions before installing: 1) Keep config.json private — it contains account identifiers, password hashes (p1/p2) and cookies; do not upload it to public registries. 2) By default schedule writes are preview-only, but the skill can perform real writes if you enable auto_apply or change schedule_write settings — review those settings before enabling. 3) Verify network calls go to the expected COROS API domain (teamcnapi.coros.com) and run the code in an isolated environment if you don't trust the source. 4) After testing, rotate credentials if you suspect they were exposed. If you want higher assurance, inspect the full main.py runpath locally (it saves tokens to config.json) or run with demo_mode=true.Like a lobster shell, security has layers — review code before you run it.
latestvk970k9jdmm661dkttw9cvnm0jx83eky7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.