ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fitbit Insights

Fitbit fitness data integration. Use when the user wants fitness insights, workout summaries, step counts, heart rate data, sleep analysis, or to ask questions about their Fitbit activity data. Provides AI-powered analysis of fitness metrics.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 803 · 0 current installs · 0 all-time installs
by@poisondminds
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (fetch Fitbit data and analyze it) legitimately requires OAuth tokens and client credentials. However, the registry metadata declares no required environment variables or config paths, while the SKILL.md and SETUP guide clearly require a local config file (/root/clawd/fitbit-config.json) and OAuth credentials. That mismatch between what the skill needs and what it declares is an incoherence that should be resolved.
!
Instruction Scope
Runtime instructions tell the agent to load tokens from /root/clawd/fitbit-config.json, auto-refresh tokens, and run scripts (python3 scripts/fitbit_api.py and scripts/refresh_token.py). Those actions are within the expected scope for a Fitbit integrator, but SKILL.md references file paths and scripts that are not declared in metadata and are missing from the provided file manifest. The instructions also allow overriding via FITBIT_ACCESS_TOKEN env var even though no env vars are declared — another inconsistency.
!
Install Mechanism
There is no install spec (instruction-only), which reduces install-time risk. However, the documentation and runtime instructions reference code files (fitbit_api.py, refresh_token.py, scripts/) that are not present in the package manifest. That suggests the package is mispackaged or relies on external files/install steps not documented in the registry metadata — this makes it unclear what will actually run after installation.
!
Credentials
The skill requires sensitive items (client_id, client_secret, access_token, refresh_token) according to SETUP.md and SKILL.md, but none are declared in the registry metadata. Storing refresh_token and client_secret in a readable file under /root/clawd is sensitive. Requesting these credentials is proportionate to the claimed purpose, but failing to declare them and instructing a specific filesystem location without noting permissions is a security concern.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does expect to read a local credential file and to run periodic refresh logic (every 8 hours). That behavior is reasonable for an OAuth-based integration, but combined with the other inconsistencies (missing scripts, undeclared credentials) it increases the risk surface.
What to consider before installing
Do not install yet. Ask the author/maintainer to: (1) provide the missing runtime scripts (fitbit_api.py, refresh_token.py, scripts/) or explain where they come from; (2) update the registry metadata to declare required env vars and config path (FITBIT_ACCESS_TOKEN, client_id, client_secret, refresh_token and the config file path); (3) show the actual code so you or a reviewer can confirm there is no hidden network endpoint or exfiltration logic and that token refresh is implemented safely. If you proceed, run in a sandbox, inspect the included scripts for unexpected network requests or uploads, store client_secret/refresh_token securely (prefer least-privilege storage, strict file permissions or environment variables), and verify tokens are not transmitted to any endpoint other than api.fitbit.com. If the package lacks the scripts it documents, treat it as mispackaged and avoid installing until corrected.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk973fqd7wezreepwpnmyab85es80vtnr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Fitbit Fitness Insights

Get AI-powered insights from your Fitbit data. Query your fitness metrics, analyze trends, and ask questions about your activity.

Features

  • 📊 Daily activity summaries (steps, calories, distance, active minutes)
  • 💓 Heart rate data and zones
  • 😴 Sleep tracking and analysis
  • 🏃 Workout/activity logs
  • 📈 Weekly and trend analysis
  • 🤖 AI-powered insights and Q&A

Prerequisites

Requires: Fitbit OAuth access token

Setup steps in references/fitbit-oauth-setup.md

Commands

Get Profile

FITBIT_ACCESS_TOKEN="..." python3 scripts/fitbit_api.py profile

Daily Activity

python3 scripts/fitbit_api.py daily [date]
# Examples:
python3 scripts/fitbit_api.py daily              # Today
python3 scripts/fitbit_api.py daily 2026-02-08   # Specific date

Returns: steps, distance, calories, active minutes (very/fairly/lightly/sedentary), floors

Steps Range

python3 scripts/fitbit_api.py steps <start_date> <end_date>

Example:

python3 scripts/fitbit_api.py steps 2026-02-01 2026-02-07

Returns: total steps, average steps, daily breakdown

Heart Rate

python3 scripts/fitbit_api.py heart [date]

Returns: resting heart rate, heart rate zones with minutes in each zone

Sleep Data

python3 scripts/fitbit_api.py sleep [date]

Returns: duration, efficiency, start/end times, sleep stages

Logged Activities

python3 scripts/fitbit_api.py activities [date]

Returns: workouts/activities logged (name, duration, calories, distance)

Weekly Summary

python3 scripts/fitbit_api.py weekly

Returns: 7-day summary of steps and key metrics

AI Insights Usage

When user asks fitness questions, use the API to fetch relevant data, then provide insights:

Example queries:

  • "How did I sleep last night?" → fetch sleep data, analyze quality
  • "Did I hit my step goal this week?" → fetch weekly summary, compare to goals
  • "What was my average heart rate during workouts?" → fetch heart + activities, analyze
  • "Am I more active on weekdays or weekends?" → fetch range data, compare patterns

Analysis approach:

  1. Identify what data is needed
  2. Fetch via appropriate API command
  3. Analyze the data
  4. Provide insights in conversational format

Example Responses

User: "How did I do this week?"

Agent:

  1. Fetch weekly summary
  2. Fetch recent sleep data
  3. Respond: "You had a solid week! Averaged 8,234 steps/day (up 12% from last week). Hit your 10k step goal 4 out of 7 days. Sleep averaged 7.2 hours with 85% efficiency. CrossFit sessions on Mon/Wed/Fri looking consistent!"

User: "Did I exercise today?"

Agent:

  1. Fetch daily activities
  2. Fetch daily activity summary (active minutes)
  3. Respond: "Yes! You logged a CrossFit session this morning (45 min, 312 calories). Plus 28 very active minutes total for the day."

Data Insights to Look For

  • Trends: Week-over-week changes, consistency patterns
  • Goals: Compare to 10k steps, exercise frequency, sleep targets
  • Correlations: Sleep quality vs activity, rest days vs performance
  • Anomalies: Unusual spikes or drops
  • Achievements: Personal bests, streaks, milestones

Token Management

The skill automatically loads tokens from /root/clawd/fitbit-config.json and refreshes them when expired (every 8 hours).

Auto-refresh: Tokens are refreshed automatically - no manual intervention needed!

Manual refresh (if needed):

python3 scripts/refresh_token.py force

Override with environment variable:

export FITBIT_ACCESS_TOKEN="manual_token"

Error Handling

  • Missing token: Prompt user to set FITBIT_ACCESS_TOKEN
  • API errors: Check token validity, may need refresh
  • No data: Some days may have no logged activities or missing metrics

See references/fitbit-oauth-setup.md for token management.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…