ClawHub

Strava Skill

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Strava-to-Transition API helper, but users should protect the API key and understand that fitness data is processed by Transition.

Install only if you are comfortable connecting Strava through Transition and letting an agent query that service. Treat TRANSITION_API_KEY as a secret, avoid committing or sharing it, prefer a secret manager or scoped environment over global shell-profile storage, and revoke or rotate the key if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to place a live API key in a shell profile using `export TRANSITION_API_KEY=...` but does not warn that this credential is sensitive, long-lived, and may be exposed through copied config files, screen sharing, backups, or accidental publication. While environment variables are common, documenting a production-style secret value without secret-handling guidance increases the chance of credential leakage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly routes detailed Strava-derived activity, fitness, and performance data to a third-party AI service, but it provides no privacy notice, data-use disclosure, or guidance about sensitivity of health/fitness information. This can lead users or downstream agents to transmit personal behavioral and biometric-adjacent data without informed consent or awareness of retention, sharing, or model-processing risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions have users generate and export a live API key but do not warn that the key is a secret or caution against logging, sharing, committing, or exposing it in shell history and screenshots. In an agent ecosystem, this omission increases the chance of credential leakage and unauthorized access to the user's Strava-linked data.

External Transmission

Medium
Category
Data Exfiltration
Content
curl -X POST -H "X-API-Key: $TRANSITION_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"message": "How did my long run this week compare to last week?"}' \
  "https://api.transition.fun/api/v1/coach/chat"
```

Example questions:
Confidence
94% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/workouts?start=2026-02-09&end=2026-02-15"
```

**Parameters:**
Confidence
90% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/performance/pmc"
```

### Performance Stats
Confidence
90% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/performance/stats"
```

### Athlete Profile
Confidence
90% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/profile"
```

### Chat History
Confidence
91% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/coach/history"
```

## Rate Limits
Confidence
89% confidence
Finding
https://api.transition.fun/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal