Strava CLI
PassAudited by ClawScan on May 1, 2026.
Overview
The skill matches its Strava CLI purpose, but users should notice that it installs an external Python CLI and grants persistent read access to Strava profile and activity data.
Before installing, confirm you trust the strava-client-cli package, understand that it can read and export Strava profile/activity data, and keep or revoke the local OAuth tokens according to your needs.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI may be able to read and export your Strava profile and activity history, including private activities, until access is revoked or tokens are removed.
The skill asks the user to authorize Strava OAuth access with broad read scopes and stores refreshable tokens locally. This is expected for the stated CLI purpose, but it grants access to private Strava profile and activity data.
Enter Client ID and Client Secret when prompted... scope=activity:read_all,profile:read_all ... tokens: `~/.config/strava-cli/tokens.json`.
Only authorize the Strava app if you trust the CLI, protect the token file, and revoke the app from Strava settings when you no longer need it.
Installing or running the package executes third-party CLI code on your machine.
The skill runs or installs an external Python package without a pinned version. This is central to the skill's purpose and is disclosed, but users depend on the package source and current published version.
uvx --from strava-client-cli strava --help # Or install persistently: uv tool install strava-client-cli
Verify the package and source repository before installation, and consider pinning a trusted version if your environment requires reproducible installs.