ClawHub

Fitbit (Official API)

v0.1.0

Official Fitbit OAuth integration for OpenClaw (Tier 1). Use to connect/authorize Fitbit, store+refresh tokens locally, fetch daily activity + sleep summarie...

1· 205·0 current·0 all-time
byGavin C.@gavinchengcool
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (Fitbit OAuth, fetch daily activity/sleep, normalize, render) matches the included scripts and SKILL.md. One inconsistency: the registry metadata at the top lists "Required env vars: none", but SKILL.md and the code clearly require FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, and FITBIT_REDIRECT_URI. This is likely an editorial/metadata error rather than malicious behavior.
Instruction Scope
SKILL.md instructs the agent and user to run the included Python scripts to perform OAuth, fetch Fitbit API endpoints, normalize, and render results. The scripts only access the declared env vars, the local token file (default: ~/.config/openclaw/fitbit/token.json), and the official Fitbit API endpoints. They do not read arbitrary system files or contact unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only), and the code files are bundled with the skill. No remote downloads or archive extraction occur. The scripts use only Python stdlib and will run locally when invoked.
Credentials
The env vars required by SKILL.md (FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_REDIRECT_URI, and optional FITBIT_TOKEN_PATH, FITBIT_TZ, FITBIT_SCOPES) are proportionate and expected for an OAuth integration. The earlier registry 'Requirements' section incorrectly listed no required env vars; this mismatch should be corrected before deployment.
Persistence & Privilege
The skill does persist a Fitbit token to a local file (~/.config/openclaw/fitbit/token.json by default) and will refresh tokens as needed. It sets file permissions to 0600 when possible. The skill is not marked always:true and does not modify other skills or system-wide settings.
Assessment
This skill appears to do exactly what it claims: perform Fitbit OAuth, save tokens locally, fetch daily activity and sleep, normalize, and render a digest. Before installing/running: 1) Fix or confirm the registry metadata mismatch — the skill requires FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, and FITBIT_REDIRECT_URI. 2) Only provide your Fitbit client_id/client_secret if you trust the code; these are sensitive and allow token exchanges. 3) Note the token file is written to ~/.config/openclaw/fitbit/token.json (or FITBIT_TOKEN_PATH) and the code attempts to chmod it to 0600; verify that location and permissions meet your security needs. 4) Loopback mode starts a local HTTP listener on 127.0.0.1 for OAuth redirects — that's normal but ensure the redirect URI is correct. 5) If unsure, review the bundled scripts locally before running; they use only standard Python libraries and communicate only with Fitbit's documented endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk971pw7td1va0ma2t9aabz3gjn82vhrc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments