Strava Cycling Coach
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears coherent for Strava ride analysis, but it requires broad read-only Strava OAuth access, stores ride data locally, and can run persistent background monitoring if the user enables it.
Before installing, make sure you are comfortable granting read access to your Strava activities and profile, storing OAuth tokens and ride data under ~/.config/strava and ~/.cache/strava, and optionally adding a cron job that keeps running in the background.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read private Strava activity and profile information through stored OAuth tokens.
The setup flow asks the user for Strava app credentials and requests read access to all activities plus profile data. This is related to ride analysis, but it is broad account access.
read -p "Enter your Client Secret: " CLIENT_SECRET ... scope=activity:read_all,profile:read_all
Authorize only if you are comfortable with those scopes, keep ~/.config/strava/config.json private, and revoke the app in Strava when you no longer use it.
If enabled, the skill will keep polling Strava and analyzing rides in the background until the cron entry is removed.
The skill documents an optional cron job that repeatedly runs the monitoring script every 30 minutes.
echo "*/30 * * * * $(pwd)/scripts/auto_analyze_new_rides.sh" >> /tmp/cron_backup.txt crontab /tmp/cron_backup.txt
Enable cron monitoring only if you want continuous checks; inspect and remove the crontab entry if you stop using the skill.
Ride history, performance metrics, and potentially sensitive activity details may remain on the local machine.
The skill persists Strava activity records in a local cache for later monitoring and comparisons.
ACTIVITIES_CACHE = CACHE_DIR / "activities.json" ... json.dump(activities, f, indent=2)
Review or delete ~/.cache/strava when needed, and avoid using this on shared machines unless local file permissions are appropriate.
It is harder to verify provenance or reproduce installation details, though the provided source does not show malicious behavior.
The skill includes runnable scripts but does not provide a source repository, homepage, or install specification in the supplied metadata.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill.
Review the included scripts before running them and prefer installing from a known, trusted source if available.