Fitbit
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: fitbit Version: 0.1.0 The skill bundle is classified as benign. The `SKILL.md` file clearly defines the purpose as querying Fitbit health data using the `fitbit-cli` tool. All documented commands involve read-only queries for various health metrics and account information. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts designed to subvert the agent's behavior beyond its stated purpose. The dependency on `fitbit-cli` is declared as a required binary, and its usage is limited to benign query operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may retrieve and display personal health, fitness, profile, and device information from the user's Fitbit account.
The skill uses Fitbit account authorization and refreshable tokens to access personal Fitbit data. This is expected for the stated purpose and described as read-only, but it is still account-backed access to sensitive health information.
- Read-only access to Fitbit data - Tokens auto-refresh (expire after 8 hours) - First-time setup: `fitbit-cli --init-auth`
Only authorize the CLI if you are comfortable sharing Fitbit data in the agent session, and revoke or reset Fitbit CLI authorization if you no longer use it.
The behavior users experience will depend on the installed `fitbit-cli` implementation and its local authentication handling.
The skill depends on an external `fitbit-cli` binary that is not bundled or installed by the skill. This is not suspicious by itself because the CLI is central to the purpose, but users should verify the provenance of the binary they have installed.
Source: unknown Required binaries (all must exist): fitbit-cli No install spec — this is an instruction-only skill.
Install or use `fitbit-cli` only from a trusted source, and avoid similarly named or unverified binaries in your PATH.