Daily Strava Roast

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent Strava roast tool, but it includes an under-scoped reauthorization path that can execute a local Python script from a configurable workspace path.

Review before installing if you do not control the local OpenClaw workspace. This skill needs Strava credentials and private activity access, and its reauthorization flow may execute a local helper script at a configurable path. Only use it where the token files and helper script are owned and trusted, and avoid exposing the generated prompt or roast state where private workout names or metrics would be sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def get_reauth_url(reauth_script: Path) -> str: result = subprocess.run(["python3", str(reauth_script)], capture_output=True, text=True, timeout=30, check=False) if result.returncode != 0: raise StravaAuthError((result.stderr or result.stdout).strip() or "Failed to generate Strava reauth URL") return result.stdout.strip()
Confidence: 93% confidence
Finding: result = subprocess.run(["python3", str(reauth_script)], capture_output=True, text=True, timeout=30, check=False)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: This skill loads Strava OAuth configuration, including client secrets and a token file path, from a secure local file and environment variables even though its stated purpose is only to produce a humorous roast/recap. That broadens the skill's access to sensitive credentials beyond what is justified by least privilege, and in an agent environment it increases the chance that downstream code could misuse or expose those secrets.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill embeds concrete default paths for Strava app credentials and token storage, which exposes where sensitive authentication material is expected to live and encourages direct handling of those files. In a shared or multi-agent environment, this increases the chance of accidental disclosure, overbroad file access, or other skills probing those locations without clear user warning.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The code reads sensitive environment variables such as STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET without any user-facing disclosure, consent flow, or clear explanation that the roast skill accesses account-linked credentials. In a playful, low-risk-looking skill, that mismatch can mislead users about the level of access being exercised and makes accidental overcollection of sensitive data more likely.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The test deliberately injects a prompt-injection string into activity data and verifies it is preserved into downstream context. In a skill that may pass workout names into an LLM for a final paragraph, this is dangerous because untrusted user-controlled text is being carried forward semantically intact rather than neutralized, increasing the chance that a connected model interprets it as instructions.

Ssd 4

Medium

Confidence: 98% confidence
Finding: The assertions explicitly require that the injected instruction survives normalization and appears in ctx['activity_names'], which codifies insecure behavior as the expected outcome. That makes future code changes less likely to mitigate prompt injection and more likely to propagate attacker-controlled strings into any LLM-backed roast generation path.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal