Fitbit
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may retrieve and display personal health, fitness, profile, and device information from the user's Fitbit account.
The skill uses Fitbit account authorization and refreshable tokens to access personal Fitbit data. This is expected for the stated purpose and described as read-only, but it is still account-backed access to sensitive health information.
- Read-only access to Fitbit data - Tokens auto-refresh (expire after 8 hours) - First-time setup: `fitbit-cli --init-auth`
Only authorize the CLI if you are comfortable sharing Fitbit data in the agent session, and revoke or reset Fitbit CLI authorization if you no longer use it.
The behavior users experience will depend on the installed `fitbit-cli` implementation and its local authentication handling.
The skill depends on an external `fitbit-cli` binary that is not bundled or installed by the skill. This is not suspicious by itself because the CLI is central to the purpose, but users should verify the provenance of the binary they have installed.
Source: unknown Required binaries (all must exist): fitbit-cli No install spec — this is an instruction-only skill.
Install or use `fitbit-cli` only from a trusted source, and avoid similarly named or unverified binaries in your PATH.