Back to skill
Skillv0.1.0
ClawScan security
Strava CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 7:26 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for a Strava CLI tool and its requirements and behavior match its description; main issues are minor documentation gaps you should review before installing the referenced third‑party tool.
- Guidance
- This skill is a set of instructions for using the third‑party strava-client-cli tool and appears consistent with that purpose. Before installing or running it: (1) verify the referenced project (https://github.com/geodeterra/strava-cli or the pip package) is the official/trusted source and review its code if possible; (2) be aware OAuth tokens and refresh tokens will be stored at ~/.config/strava-cli/tokens.json — treat these files as sensitive and revoke the app in Strava if you stop using it; (3) the manual curl exchange requires your Client Secret — don’t paste that into untrusted places; (4) consider running the tool in an isolated environment (container or VM) if you are unsure about the third‑party binary. The only minor mismatch: the skill metadata declares no config paths while the instructions reference token/config file locations — not harmful, but worth noting.
Review Dimensions
- Purpose & Capability
- okName/description (Strava CLI) align with the instructions: install/use the strava-client-cli to view/export Strava data and perform OAuth. Nothing in the SKILL.md asks for access unrelated to Strava.
- Instruction Scope
- noteInstructions describe an OAuth flow and where the tool stores config/tokens (~/.config/strava-cli/config.json and tokens.json). The SKILL.md references these paths but the skill metadata declares no required config paths — a minor inconsistency. The instructions do not ask the agent to read unrelated system files or exfiltrate data.
- Install Mechanism
- okThis is an instruction-only skill (no install spec or code bundled). It tells users to use 'uvx' / 'uv tool install' to get strava-client-cli; that is a normal external-tool install step. No arbitrary download URLs or archive extraction are embedded in the SKILL.md.
- Credentials
- okNo environment variables or credentials are declared as required. The SKILL.md correctly requires a Strava Client ID/Client Secret provided by the user during OAuth; these are expected and proportional. The skill documents where tokens are saved locally.
- Persistence & Privilege
- okalways:false and normal user-invocable/autonomous invocation defaults. The skill does not request persistent system privileges or modify other skills' configuration.