Back to skill
Skillv1.1.1
ClawScan security
Peloton Stats · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 12:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested credentials are coherent with its stated purpose (fetching Peloton cycling stats); nothing in the files indicates unrelated access or exfiltration.
- Guidance
- This skill appears to do exactly what it claims: it uses your Peloton email/password to call Peloton's auth and API endpoints and prints weekly cycling stats locally. Before installing, confirm you trust the skill author (owner is unknown) because the script requires your Peloton password (sent to auth.onepeloton.com via OAuth password grant). Prefer storing credentials in OpenClaw's credential manager or a secured auth-profiles.json file rather than exporting them into a general shell environment. If you have concerns, inspect the included scripts (scripts/fetch_stats.py) yourself or create a dedicated Peloton account for API access. Note: the skill uses the unofficial Peloton endpoints as documented in its SKILL.md; behavior depends on those APIs and your active Peloton subscription.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the script logs into Peloton with a username/password and queries Peloton endpoints (auth.onepeloton.com and api.onepeloton.com) to collect cycling workout stats. Requested env vars (PELOTON_USERNAME, PELOTON_PASSWORD) and the OpenClaw auth-profiles.json path are appropriate for this purpose.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script and to store Peloton credentials in the OpenClaw credential manager or auth-profiles.json. The script only reads credentials (env or the declared config path) and calls Peloton APIs; it does not reference unrelated system files, services, or external endpoints beyond the Peloton domains.
- Install Mechanism
- okNo install spec or external downloads — the skill is instruction-only with an included Python script that uses only the stdlib. Nothing is fetched from questionable URLs or written to unexpected system locations.
- Credentials
- okRequires only the expected credentials (username/password) and the OpenClaw auth-profiles.json path. Those env vars are necessary for OAuth password grant used by the script; their use is justified and declared.
- Persistence & Privilege
- okSkill is not always-included and does not request elevated privileges or modify other skills/configs. It reads credentials from its own declared auth-profiles.json and/or environment variables only.