ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fitbit Analytics

v1.0.0

Fitbit health and fitness data integration. Fetch steps, heart rate, sleep, activity, calories, and trends from Fitbit Web API. Generate automated health reports and alerts. Requires FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_ACCESS_TOKEN, FITBIT_REFRESH_TOKEN.

1· 2.3k·2 current·2 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required env vars (FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_ACCESS_TOKEN, FITBIT_REFRESH_TOKEN) and required binary (python3) all align with a Fitbit Web API integration. The included scripts implement Fitbit endpoints and reporting features described in the SKILL.md.
Instruction Scope
SKILL.md instructs running the included Python scripts and setting env vars — consistent with purpose. It also suggests OpenClaw cron automation delivering outputs to channels (e.g., Telegram). The runtime instructions and CLI usages stay within Fitbit data collection and reporting; they do not instruct collection of unrelated system files or network endpoints beyond Fitbit/dev.fitbit.com.
Install Mechanism
No install spec or external downloads are used; this is an instruction-only skill with Python scripts included. Risk from install mechanism is low because nothing is fetched from arbitrary URLs and no package managers are invoked.
!
Credentials
Although the declared env vars match Fitbit, the code also reads and writes a secrets file at ~/.config/systemd/user/secrets.conf and persists tokens to ~/.fitbit-analytics/tokens.json. The registry metadata did not declare these config paths. Writing to a user secrets file in the home directory (and updating tokens there) is a broader filesystem/credential footprint than the SKILL.md explicitly declares and could overwrite or mix with other stored secrets.
!
Persistence & Privilege
The client auto-refreshes tokens and persists them to disk (secrets.conf and a token cache), and sets file permissions. Persisting refresh tokens and access tokens on the user's filesystem is expected for long-running integrations, but it is a permanent change to user files and therefore higher privilege than a read-only skill. This behavior should be disclosed up-front in the registry metadata (required config paths) and verified by the user.
What to consider before installing
This skill appears to implement Fitbit API access and reporting as described, but review the following before installing: - The code will read from and write to ~/.config/systemd/user/secrets.conf (and will create ~/.fitbit-analytics/tokens.json). If you run it, it will attempt to persist refreshed access/refresh tokens into that secrets.conf file and set file permissions. Ensure that file is not used for unrelated secrets you don't want overwritten. - If you prefer not to have tokens persisted to that shared secrets file, run scripts with explicit env vars (export FITBIT_ACCESS_TOKEN and FITBIT_REFRESH_TOKEN) or modify the code to use a dedicated secrets file. Inspect scripts/fitbit_api.py to confirm exactly what will be written. - The skill contacts only Fitbit endpoints (api.fitbit.com) for data and dev.fitbit.com for setup — there are no other remote endpoints in the code. Still, review the files yourself before granting client_secret/refresh token access. - Limit the permissions of the Fitbit app to only the scopes you need. Treat client_secret and refresh token as sensitive: store them in a dedicated, secure secrets store if possible. - If you are unsure, run the scripts in an isolated account or container and observe file writes (secrets.conf, ~/.fitbit-analytics) to confirm behavior before enabling automation/cron or granting persistent access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bjr7t8rx2y3mqwnby1aevjd809nq3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvFITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_ACCESS_TOKEN, FITBIT_REFRESH_TOKEN

Comments