Strava CLI

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Strava CLI setup guide, with the main risk being local storage of Strava OAuth tokens.

Install only if you are comfortable granting the CLI access to your Strava account data. Treat ~/.config/strava-cli/tokens.json as a secret: do not commit, paste, back up publicly, or share it, and prefer restrictive permissions such as a private config directory and 600-style token file permissions where possible.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs users to write live OAuth access and refresh tokens to a predictable local file but does not warn that these credentials are sensitive or recommend file permission hardening. Anyone with local access, backups, logs, or accidental file sharing could reuse the refresh token to obtain new access tokens and access the user's Strava data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal