TrainingPeaks
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the cookie or token files are exposed, someone may be able to access the user's TrainingPeaks account data.
The skill requires a browser session cookie and stores both the cookie and derived bearer token persistently. This is disclosed and purpose-aligned, but those are sensitive account credentials.
Find the cookie named `Production_tpAuth` ... `python3 scripts/tp.py auth "<paste_cookie_value_here>"` ... Bearer tokens are cached in `~/.trainingpeaks/token.json` ... Cookie lasts weeks; stored in `~/.trainingpeaks/cookie`
Use only on a trusted machine, do not share the cookie value, remove ~/.trainingpeaks if you stop using the skill, and re-authenticate or invalidate the session if the cookie may have leaked.
Users must rely on the bundled artifact and registry trust rather than verifying the skill against an upstream project.
The registry metadata does not provide an upstream source or homepage, so users have limited provenance information for a script that handles a sensitive auth cookie.
Source: unknown; Homepage: none
Review the included script before use and install only if you trust the publisher and registry source.