Fitbit Insights
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Fitbit skill has a clear purpose, but it asks for long-lived Fitbit credentials while the package lacks the scripts it claims to run and its privacy wording is overstated.
Review before installing. Verify the missing Python scripts from a trusted source, make sure the Fitbit app uses read-only scopes, protect `/root/clawd/fitbit-config.json`, and do not use the skill if you are not comfortable giving the agent access to your Fitbit health data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could access sensitive Fitbit activity, heart rate, sleep, and profile data for as long as the refresh credentials remain valid.
The skill stores Fitbit OAuth credentials locally, including a client secret and refresh token, while the registry metadata declares no credential or required config path.
"client_secret": "YOUR_CLIENT_SECRET", "access_token": "YOUR_ACCESS_TOKEN", "refresh_token": "YOUR_REFRESH_TOKEN" ... Location: `/root/clawd/fitbit-config.json`
Install only if you trust the source, use read-only Fitbit scopes, restrict permissions on the config file, and revoke the Fitbit app tokens if you stop using the skill.
The described credential-handling and API behavior cannot be reviewed from the package, and the skill may fail or depend on unreviewed scripts outside the submitted artifacts.
The documentation claims executable helper scripts are included, but the provided manifest contains only markdown files and the scan says there are no code files to analyze.
Inside skill: ... fitbit_api.py - API client ... refresh_token.py - Auto-refresh system
Require the actual `fitbit_api.py` and `refresh_token.py` sources to be included and reviewed before trusting the skill with OAuth tokens.
A user may believe their health data never leaves Fitbit, when the skill is designed to retrieve it for AI-generated answers.
The same artifacts say the skill fetches Fitbit data and has the AI analyze it, so this privacy claim understates that health data enters the assistant/messaging context.
Your data - Stays in your Fitbit account, never shared
Clarify exactly where Fitbit data is processed, displayed, logged, or retained, especially when used through messaging integrations.
Your fitness, sleep, and heart-rate metrics may be included in assistant responses or conversation history.
The Fitbit provider flow is purpose-aligned and disclosed, but it brings sensitive health data into the agent's working context.
Data Sources: Activity metrics ... Heart rate data ... Sleep tracking ... Workout logs ... Historical trends
Use the skill only for questions you are comfortable exposing to the assistant, and confirm any logging or retention behavior in the host environment.