v0.1.1

Strava (Official API)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:04 AM.

Analysis

This skill appears to do what it says—connect to Strava, store OAuth tokens, and fetch workout data—but it handles sensitive account and fitness information.

GuidanceThis looks purpose-aligned and not malicious. Before using it, make sure you trust the publisher/source, understand that it stores Strava OAuth tokens locally, and avoid sharing raw or normalized activity files with untrusted tools or channels.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none
Required env vars: none
Primary credential: none

The registry metadata does not declare provenance, homepage, required environment variables, or a primary credential even though the skill documentation and code use Strava OAuth credentials and tokens.

User impactInstall-time metadata may not fully call attention to the credentials and token storage involved.

RecommendationReview the included source before use and prefer registry metadata that explicitly declares the Strava OAuth requirements and project provenance.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Required env vars:

- `STRAVA_CLIENT_ID`
- `STRAVA_CLIENT_SECRET`
- `STRAVA_REDIRECT_URI`

Optional:

- `STRAVA_TOKEN_PATH` (default: `~/.config/openclaw/strava/token.json`)

The skill requires Strava OAuth app credentials and stores OAuth tokens locally, which is expected for a Strava integration but gives the skill delegated account access.

User impactInstalling and using this skill can allow OpenClaw to read Strava activity data using stored OAuth tokens.

RecommendationUse only the Strava scopes you need, keep the token path private, and revoke the OAuth grant in Strava if you stop using the skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/output_schema.md

"calories_kcal": "number|null",
"avg_hr_bpm": "number|null",
"max_hr_bpm": "number|null",
"source": "strava"

The normalized output can include health and training metrics that may be passed to a Wellness hub or other downstream channel.

User impactWorkout summaries may expose sensitive fitness details such as heart rate, calories, and activity history to downstream workflows.

RecommendationSend the normalized output only to trusted hubs or channels, and store or delete raw and normalized files according to your privacy needs.