ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Strava Cycling Coach

Track and analyze cycling performance from Strava. Use when analyzing ride data, reviewing fitness trends, understanding workout performance, or providing insights on cycling training. Automatically monitors new rides and provides performance analysis.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.5k · 0 current installs · 0 all-time installs
by@EricRosenberg
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (Strava ride analysis, monitoring, notifications) matches the code: it uses the Strava OAuth endpoints, activity and streams APIs, caches activities, analyzes power/HR metrics, and can be run on a schedule. The required secrets (client_id/client_secret) are requested via the setup flow and stored in ~/.config/strava/config.json, which is appropriate for a Strava integration.
Instruction Scope
Runtime instructions and scripts only access the user's Strava config (~/.config/strava), a local cache (~/.cache/strava), and the Strava API. They do not attempt to read unrelated system files or unknown remote endpoints. However, SKILL.md/README contain several inconsistent script names (e.g., references to analyze_ride.py and monitor_rides.sh that don't exist), and some examples assume a 'Clawdbot message tool' via subprocess but the provided send function currently prints the message (no Telegram API call). Those mismatches can confuse users and should be corrected.
Install Mechanism
There is no automatic install step or remote code download; all code is bundled with the skill and there is no install spec. That reduces supply-chain risk. The setup.sh script is local and only writes config files under the user's home directory.
Credentials
The skill does not declare required environment variables in registry metadata, but it does optionally read STRAVA_TELEGRAM_CHAT_ID for notifications and asks the user for client_id/client_secret during setup to store in config.json. Requesting Strava credentials is proportional and expected. Be aware the token/credentials are stored on disk (complete_auth.py sets file mode to 0o600).
Persistence & Privilege
The skill does persist user data (config and cache) under ~/.config/strava and ~/.cache/strava and suggests optionally adding a cron job for periodic runs, but it does not request elevated privileges or force installation (always:false). No modifications to other skills or system-wide agent settings are present.
Assessment
This skill appears to do what it claims: it connects to Strava, stores the OAuth client ID/secret and tokens in ~/.config/strava/config.json, caches activities in ~/.cache/strava, and can be scheduled by cron. Before installing or running it: 1) Review the bundled scripts yourself (they are included) and verify network calls are only to Strava (https://www.strava.com). 2) Note the README/SKILL.md refer to a few non-existent filenames (e.g., analyze_ride.py, monitor_rides.sh) — use the actual scripts in the repo (analyze_and_notify.py, monitor_new_rides.py, etc.) or fix the docs. 3) If you expect Telegram notifications, inspect/modify send_telegram_message to use the real Telegram API or your messaging tooling; currently it prints the message and assumes a 'Clawdbot' message tool. 4) Keep your client_secret and saved tokens protected (the setup script sets 0o600 but verify). 5) If you plan to add the cron job, prefer using an absolute path to the script (not relying on $(pwd)) and review the crontab changes before applying. If you want more assurance, run the scripts in an isolated environment (different user account or container) the first time and monitor outbound traffic.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97dczh1y8dmb17fxhej0cx11x7zxewx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Strava Cycling Coach

Track cycling performance, analyze rides, and monitor fitness progression using the Strava API.

Setup

1. Create Strava API Application

Visit https://www.strava.com/settings/api and create an application:

  • Application Name: Clawdbot (or your preferred name)
  • Category: Data Importer
  • Club: (leave blank)
  • Website: http://localhost
  • Authorization Callback Domain: localhost

Save your Client ID and Client Secret.

2. Run Setup Script

cd skills/strava
./scripts/setup.sh

You'll be prompted for:

  1. Client ID
  2. Client Secret
  3. Visit an OAuth URL to authorize
  4. Copy the authorization code and complete setup with:
./scripts/complete_auth.py YOUR_CODE_HERE

3. Configure Automatic Monitoring (Optional)

To receive automatic ride analysis after each workout:

# Set your Telegram chat ID
export STRAVA_TELEGRAM_CHAT_ID="your_telegram_chat_id"

# Add to your shell profile for persistence
echo 'export STRAVA_TELEGRAM_CHAT_ID="your_telegram_chat_id"' >> ~/.bashrc

# Set up cron job (checks every 30 minutes)
crontab -l > /tmp/cron_backup.txt
echo "*/30 * * * * $(pwd)/scripts/auto_analyze_new_rides.sh" >> /tmp/cron_backup.txt
crontab /tmp/cron_backup.txt

4. Test the Setup

Analyze your recent rides:

./scripts/analyze_rides.py --days 90 --ftp YOUR_FTP

Usage

Get latest ride:

scripts/get_latest_ride.py

Analyze specific ride:

scripts/analyze_ride.py <activity-id>

Monitor for new rides (runs in background):

scripts/monitor_rides.sh

Automatic Monitoring

The skill can automatically:

  1. Check for new rides every 30 minutes
  2. Analyze power, heart rate, and training load
  3. Send insights about performance and fitness trends
  4. Compare to recent training history

Metrics Analyzed

  • Power: Average, normalized, max, variability index
  • Heart rate: Average, max, time in zones
  • Training load: TSS estimation, intensity factor
  • Fitness progression: Trends over time
  • Segments: PR achievements and efforts
  • Comparative: vs recent rides, vs personal bests

Configuration

Edit ~/.config/strava/config.json to customize:

  • Monitoring frequency
  • Analysis preferences
  • Notification settings

API Reference

See references/api.md for complete Strava API documentation.

Files

11 total
Select a file
Select a file to preview.

Comments

Loading comments…