ClawHub

Strava CLI

v0.1.0

Interact with Strava via the strava-client-cli Python tool. Use for viewing activities, athlete profiles, stats, and exporting data. Covers setup (creating a Strava account, API app, and OAuth) and all CLI commands.

0· 683·1 current·1 all-time
by@geodeterra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Strava CLI) align with the instructions: install/use the strava-client-cli to view/export Strava data and perform OAuth. Nothing in the SKILL.md asks for access unrelated to Strava.
Instruction Scope
Instructions describe an OAuth flow and where the tool stores config/tokens (~/.config/strava-cli/config.json and tokens.json). The SKILL.md references these paths but the skill metadata declares no required config paths — a minor inconsistency. The instructions do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
This is an instruction-only skill (no install spec or code bundled). It tells users to use 'uvx' / 'uv tool install' to get strava-client-cli; that is a normal external-tool install step. No arbitrary download URLs or archive extraction are embedded in the SKILL.md.
Credentials
No environment variables or credentials are declared as required. The SKILL.md correctly requires a Strava Client ID/Client Secret provided by the user during OAuth; these are expected and proportional. The skill documents where tokens are saved locally.
Persistence & Privilege
always:false and normal user-invocable/autonomous invocation defaults. The skill does not request persistent system privileges or modify other skills' configuration.
Assessment
This skill is a set of instructions for using the third‑party strava-client-cli tool and appears consistent with that purpose. Before installing or running it: (1) verify the referenced project (https://github.com/geodeterra/strava-cli or the pip package) is the official/trusted source and review its code if possible; (2) be aware OAuth tokens and refresh tokens will be stored at ~/.config/strava-cli/tokens.json — treat these files as sensitive and revoke the app in Strava if you stop using it; (3) the manual curl exchange requires your Client Secret — don’t paste that into untrusted places; (4) consider running the tool in an isolated environment (container or VM) if you are unsure about the third‑party binary. The only minor mismatch: the skill metadata declares no config paths while the instructions reference token/config file locations — not harmful, but worth noting.

Like a lobster shell, security has layers — review code before you run it.

latestvk9761c2815gjf2p8v7vjpwjn3d812rbq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments