ClawHub

Strava Skill

v1.0.0

Talk to your Strava data — ask questions about your activities, fitness trends, PRs, and training load using AI.

0· 793·2 current·2 all-time
by@nftechie
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md's purpose (ask questions about Strava data) aligns with calling Transition's API, but the registry metadata lists no required environment variables or primary credential while the instructions explicitly require TRANSITION_API_KEY/X-API-Key. That metadata omission is an inconsistency.
Instruction Scope
The instructions confine actions to HTTP calls to https://api.transition.fun (including an unauth WOD endpoint and authenticated coach/workouts endpoints). They do not direct reading local files, scanning other creds, or exfiltrating data to unexpected endpoints.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lower-risk model (nothing written to disk by the skill itself).
!
Credentials
The skill legitimately needs a Transition API key to access synced Strava data, which is proportionate to the described feature set. However, the registry did not declare this required secret; that mismatch reduces transparency and could lead to accidental leakage or confusion about what the agent will transmit.
Persistence & Privilege
Skill has no elevated persistence (always:false) and does not request system-level changes or other skills' config. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors here.
What to consider before installing
Before installing: 1) Note the SKILL.md requires a TRANSITION_API_KEY (X-API-Key) even though the registry metadata lists none — that omission is a transparency issue. 2) Only provide an API key if you trust the Transition service (https://transition.fun); verify the domain, TLS, and the service's privacy policy and terms. 3) Prefer adding the key to the agent's secret store (or skill-specific config) rather than your global shell profile. 4) Limit exposure: use a revocable key, test with a throwaway account if possible, and monitor the key's usage/requests after enabling the skill. 5) If you need stronger assurance, ask the skill author to update the registry metadata to declare TRANSITION_API_KEY as a required credential and to explain how the key is used, stored, and transmitted. 6) Revolve/rotate the key and revoke it immediately if you see unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xvtj3d13q1qb2v4eqghvh980tbc9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments