ClawHub

Strava Training Coach

v1.0.3

AI running coach that prevents injuries by monitoring your Strava training load daily. Detects dangerous mileage spikes, intensity imbalances, and recovery g...

1· 528·0 current·0 all-time
byHeqing@hhq0421
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The requested environment variables (STRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET, and a Discord or Slack webhook) match the described functionality: OAuth access to Strava and posting notifications. Optional flags (Oura, thresholds, verbosity) are reasonable for the stated features.
Instruction Scope
SKILL.md instructs the agent to run local Python scripts (auth.py, coach_check.py, weekly_report.py), perform an OAuth flow via a localhost callback, store tokens under ~/.config/strava-training-coach, and send webhooks to Discord/Slack. These actions are within scope for a monitoring/alerting coach. Note: the skill writes tokens and state files to disk (expected for OAuth) and opens a browser for authorization; users should ensure port 8080 is acceptable on their machine.
Install Mechanism
No install steps or external downloads are requested (instruction-only with bundled scripts). All included code is local Python and uses standard libraries (urllib, http.server, etc.), so there is no high-risk remote install behavior.
Credentials
The number and type of environment variables are proportional to the task. Secrets requested are limited to Strava client credentials and webhook URLs used to deliver alerts. Additional optional envs (thresholds, Oura flag, verbosity) are configuration-only and not excessive.
Persistence & Privilege
The skill persists its own tokens and state under an XDG-style config directory with 0600/0700 permissions as documented. always:false and no modification of other skills or system-wide configs are requested.
Assessment
This skill appears to do what it claims, but before installing: 1) Review the included scripts yourself (they are bundled) to confirm nothing is altered; 2) Keep STRAVA_CLIENT_SECRET and webhook URLs private and store them in your environment (not in git); 3) Be aware the OAuth flow opens a local server on localhost:8080 — ensure that's acceptable in your environment; 4) Rotate webhook URLs if they are ever exposed, and restrict the webhook channels to minimize blast radius; 5) Run the scripts in a contained environment (virtualenv/container) if you want to limit filesystem/network exposure; 6) If enabling Oura or any extra integrations, verify what additional credentials or CLIs they require. Overall this skill is internally consistent and proportionate, but only install if you trust the source and have reviewed the bundled code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97br8q84v9p3akk4qbm057mw581vdss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏃 Clawdis
EnvSTRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET, DISCORD_WEBHOOK_URL or SLACK_WEBHOOK_URL

Comments