TrainingPeaks
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears aligned with its stated TrainingPeaks data-retrieval purpose, but it requires and stores a sensitive browser auth cookie.
This skill appears benign for reading TrainingPeaks data, but it works by copying a browser session cookie into a local script. Treat that cookie like a password: use the skill only on a trusted device, avoid sharing command history or logs containing the cookie, and remove the stored files if you no longer need it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cookie or token files are exposed, someone may be able to access the user's TrainingPeaks account data.
The skill requires a browser session cookie and stores both the cookie and derived bearer token persistently. This is disclosed and purpose-aligned, but those are sensitive account credentials.
Find the cookie named `Production_tpAuth` ... `python3 scripts/tp.py auth "<paste_cookie_value_here>"` ... Bearer tokens are cached in `~/.trainingpeaks/token.json` ... Cookie lasts weeks; stored in `~/.trainingpeaks/cookie`
Use only on a trusted machine, do not share the cookie value, remove ~/.trainingpeaks if you stop using the skill, and re-authenticate or invalidate the session if the cookie may have leaked.
Users must rely on the bundled artifact and registry trust rather than verifying the skill against an upstream project.
The registry metadata does not provide an upstream source or homepage, so users have limited provenance information for a script that handles a sensitive auth cookie.
Source: unknown; Homepage: none
Review the included script before use and install only if you trust the publisher and registry source.