TrainingPeaks

Pull real-time training plans, workouts, fitness metrics (CTL/ATL/TSB), and personal records from TrainingPeaks. Uses cookie-based authentication (no API key needed). Use in conjunction with other endurance, cycling, running or swimming triathlon coach skills for best results.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 4 · 1.6k · 0 current installs · 0 all-time installs

by@rubengarciam

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description match the implementation: the code calls tpapi.trainingpeaks.com endpoints to fetch profile, workouts, fitness, and PRs. No extraneous services, binaries, or credentials are requested. The functionality a TrainingPeaks scraper/CLI would need (cookie → token exchange, API requests, local cache) is present and appropriate.

ℹ

Instruction Scope

SKILL.md explicitly instructs the user to copy the Production_tpAuth browser cookie (or set TP_AUTH_COOKIE) and run the included Python CLI. That is necessary for this cookie-based approach, but it requires the user to expose a sensitive session cookie. The instructions do not request or read unrelated files or other credentials. The skill stores the cookie and token in ~/.trainingpeaks (described in the docs).

✓

Install Mechanism

There is no install spec and the single Python script is included in the bundle. The script uses only Python stdlib (urllib, json, pathlib, etc.) and performs no external downloads or package installs; this is low-risk from an install perspective.

✓

Credentials

The skill declares no required env vars; TP_AUTH_COOKIE is optional and is reasonable for CI/use. No unrelated secrets or high-privilege environment variables are requested. Local storage of cookie/token in ~/.trainingpeaks is the only persistence of credentials.

ℹ

Persistence & Privilege

The skill does persist credentials and tokens to ~/.trainingpeaks with attempted 0600 permissions (as stated). always is false and autonomous invocation is allowed (platform default). Because the skill handles an account session cookie, you should be mindful of allowing autonomous invocation if you don't want the agent to use that cookie without explicit prompts.

Assessment

This skill appears to do what it says, but it requires you to copy/paste your TrainingPeaks session cookie (Production_tpAuth) — a long-lived secret that grants access to your account. Only paste that cookie into this tool if you trust the skill and the environment where the agent runs. Recommendations before installing: 1) Review the included scripts/tp.py (already done) — it only talks to https://tpapi.trainingpeaks.com and stores data under ~/.trainingpeaks. 2) If you proceed, store the cookie only on a trusted machine, or use the TP_AUTH_COOKIE env var for short-lived CI runs. 3) To revoke local access, delete ~/.trainingpeaks (cookie, token.json, config.json). 4) Prefer official API keys if TrainingPeaks offers them — copying a session cookie is more sensitive. 5) Note the package source is anonymous (no homepage/unknown owner); if you have concerns about provenance, run the script in an isolated environment (container/VM) or avoid using it.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1

Download zip

latestvk978xr5h2yjgaxyvt77ce6af5d80gtyx

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

TrainingPeaks Skill

CLI access to the TrainingPeaks internal API. Pure Python stdlib — no pip dependencies.

Setup: Getting Your Auth Cookie

Log in to TrainingPeaks in your browser
Open DevTools → Application → Cookies → app.trainingpeaks.com
Find the cookie named Production_tpAuth
Copy its value (long encoded string)

Then authenticate:

python3 scripts/tp.py auth "<paste_cookie_value_here>"

Or set the environment variable (useful for CI/scripts):

export TP_AUTH_COOKIE="<cookie_value>"

Credentials are stored in ~/.trainingpeaks/ with 0600 permissions.

Commands

`auth <cookie>` — Authenticate

Store and validate a Production_tpAuth cookie. Exchanges it for a Bearer token and caches the athlete ID.

python3 scripts/tp.py auth "eyJhbGci..."
# ✓ Authenticated successfully!
#   Account: user@example.com
#   Athlete ID: 12345
#   Token expires in: 60 minutes

`auth-status` — Check Authentication

python3 scripts/tp.py auth-status
# Cookie: stored (file)
# Token: valid (42m remaining)
# Athlete ID: 12345
# ✓ Ready

`profile [--json]` — Athlete Profile

python3 scripts/tp.py profile
# Profile
# ════════════════════════════════════════
#   Name:        Ruben Example
#   Email:       ruben@example.com
#   Athlete ID:  12345
#   Account:     Premium
#   Bike FTP:    280 W

`workouts <start> <end> [--filter all|planned|completed] [--json]`

List workouts in a date range (max 90 days).

# All workouts this week
python3 scripts/tp.py workouts 2026-01-26 2026-02-01

# Only completed workouts
python3 scripts/tp.py workouts 2026-01-01 2026-01-31 --filter completed

# Raw JSON for scripting
python3 scripts/tp.py workouts 2026-01-26 2026-02-01 --json

Output columns: Date, Title, Sport, Status (✓/○), Planned duration, Actual duration, TSS, Distance.

`workout <id> [--json]` — Workout Detail

Get full details for a single workout including description, coach comments, and all metrics.

python3 scripts/tp.py workout 123456789
# Workout: Tempo Intervals 3x10min
# ══════════════════════════════════════════════════
#   Date:         2026-01-28
#   Sport:        Bike
#   Status:       Completed ✓
#   ...

`fitness [--days 90] [--json]` — CTL/ATL/TSB

Get fitness (CTL), fatigue (ATL), and form (TSB) data.

# Last 90 days (default)
python3 scripts/tp.py fitness

# Full season
python3 scripts/tp.py fitness --days 365

# JSON for charts
python3 scripts/tp.py fitness --json

Shows a summary with current CTL/ATL/TSB and status interpretation, plus a 14-day daily table.

`peaks <sport> <pr_type> [--days 3650] [--json]` — Personal Records

Get ranked personal records by sport and metric.

# Best 20-minute power (all time)
python3 scripts/tp.py peaks Bike power20min

# 5K running PRs from last year
python3 scripts/tp.py peaks Run speed5K --days 365

# 5-second max power
python3 scripts/tp.py peaks Bike power5sec

Valid PR types:

Sport	Types
Bike	`power5sec`, `power1min`, `power5min`, `power10min`, `power20min`, `power60min`, `power90min`, `hR5sec`, `hR1min`, `hR5min`, `hR10min`, `hR20min`, `hR60min`, `hR90min`
Run	`hR5sec`–`hR90min`, `speed400Meter`, `speed800Meter`, `speed1K`, `speed1Mi`, `speed5K`, `speed5Mi`, `speed10K`, `speed10Mi`, `speedHalfMarathon`, `speedMarathon`, `speed50K`

Token Management

Bearer tokens are cached in ~/.trainingpeaks/token.json
Tokens expire in ~1 hour; auto-refreshed from stored cookie
Cookie lasts weeks; stored in ~/.trainingpeaks/cookie
If the cookie expires, you'll get a clear error to re-authenticate

File Locations

File	Purpose
`~/.trainingpeaks/cookie`	Stored `Production_tpAuth` cookie
`~/.trainingpeaks/token.json`	Cached OAuth Bearer token + expiry
`~/.trainingpeaks/config.json`	Cached athlete ID and account info

Notes

All dates use YYYY-MM-DD format
Maximum workout query range: 90 days
Rate limiting: 150ms minimum between API requests
TP_AUTH_COOKIE environment variable overrides stored cookie
Default output is human-readable; --json gives raw API responses

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…