ClawHub
Back to skill
v1.0.3

Strava Training Coach

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

The artifacts match a Strava coaching and alerting skill, with expected but sensitive Strava access, local token storage, and Slack/Discord notifications.

GuidanceInstall only if you are comfortable connecting Strava and sending training alerts to your chosen Slack or Discord channel. Keep Strava credentials and webhook URLs private, use private notification channels, know how to disable any schedule you create, and revoke/delete stored tokens when you stop using the skill.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown ... No install spec — this is an instruction-only skill.

The skill has bundled scripts but no external source repository or install specification, so provenance is limited even though no suspicious install behavior is shown.

User impactYou cannot easily compare the bundled scripts against an upstream project before use.
RecommendationReview the included scripts before running them, and prefer installing from a trusted publisher or repository when available.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
"schedule": {"kind": "every", "everyMs": 86400000}, "command": "python3 scripts/coach_check.py"

The skill documents an optional daily scheduled run for ongoing monitoring, which is persistent behavior but is disclosed and purpose-aligned.

User impactIf scheduled, the coach can keep running daily and sending alerts without a fresh prompt each time.
RecommendationOnly enable the schedule if you want ongoing monitoring, and keep track of how to disable the scheduled job.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
scripts/auth.py
scopes = 'read,activity:read' ... TOKEN_FILE = os.path.join(CONFIG_DIR, 'strava_tokens.json')

The OAuth flow requests Strava read/activity access and stores the resulting tokens locally for later API calls.

User impactThe skill can read Strava activity data available to the granted scope until the token is revoked or expires.
RecommendationOnly authorize the Strava app if you are comfortable sharing activity data with this local skill, and revoke the Strava authorization when you no longer use it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
sends smart alerts to Discord or Slack ... export DISCORD_WEBHOOK_URL=... / export SLACK_WEBHOOK_URL=...

Training alerts are intentionally sent to a user-configured third-party webhook, which may include workout, recovery, heart-rate, or readiness information.

User impactFitness and training-risk information may become visible to people or systems with access to the chosen Discord or Slack channel.
RecommendationUse a private channel/webhook, keep webhook URLs secret, and rotate the webhook if it is exposed.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/coach_check.py
STATE_FILE = os.path.join(CONFIG_DIR, 'coach_state.json') ... self.weekly_mileage_history: List[Dict] = []

The coach persists local state and weekly mileage history across runs so future checks can use prior context.

User impactLocal training history is retained on disk and can influence future recommendations.
RecommendationProtect the config directory, and delete `~/.config/strava-training-coach/` if you want to remove stored tokens, logs, and history.