v1.0.0

Strava Cycling Coach

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:53 AM.

Analysis

The skill is mostly consistent with Strava ride analysis, but it asks for broad Strava account access, stores activity data locally, and can create a recurring background monitor.

GuidanceReview the Strava OAuth scopes before authorizing. Use this skill only if you are comfortable granting broad read access to Strava activity/profile data and storing tokens plus activity caches under ~/.config/strava and ~/.cache/strava. If you enable automatic monitoring, check your crontab and remove the scheduled entry when you no longer want background checks.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

# Set up cron job (checks every 30 minutes)
crontab -l > /tmp/cron_backup.txt
echo "*/30 * * * * $(pwd)/scripts/auto_analyze_new_rides.sh" >> /tmp/cron_backup.txt
crontab /tmp/cron_backup.txt

The skill openly documents an optional cron job that runs on a schedule. This is purpose-aligned for automatic ride monitoring, but it is persistent background behavior.

User impactIf enabled, the skill will keep checking Strava and writing logs every 30 minutes until the cron entry is removed.

RecommendationEnable the cron job only if automatic monitoring is desired, and document how to remove or pause the scheduled task.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/setup.sh

OAUTH_URL="https://www.strava.com/oauth/authorize?client_id=${CLIENT_ID}&redirect_uri=http://localhost:8080/callback&response_type=code&scope=activity:read_all,profile:read_all"

The OAuth setup requests read-all access to Strava activities and profile data. That is sensitive delegated account access and is broader than clearly justified for ride-performance analysis, especially the profile:read_all scope.

User impactInstalling users may grant the skill access to private Strava activity and profile information, not just the specific ride metrics needed for analysis.

RecommendationUse least-privilege OAuth scopes, clearly document why each scope is needed, and avoid profile:read_all unless the skill genuinely requires it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/monitor_new_rides.py

recent = fetch_recent_activities(config, limit=20)
...
if new_rides:
    update_cache_with_new_activities(recent)

The monitor checks for new virtual rides, but when it finds one it caches the full recent activity list returned by Strava, not only the newly analyzed virtual ride.

User impactMore Strava activity data than expected may be retained locally in the cache, including activity records outside the specific new cycling ride being analyzed.

RecommendationCache only the minimum fields and activity types needed, document retention behavior, and set restrictive permissions on cache and log files.