ClawHub

TrainingPeaks

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: trainingpeaks Version: 1.0.1 The OpenClaw AgentSkills bundle for TrainingPeaks is benign. The `SKILL.md` provides clear, legitimate instructions for cookie-based authentication and usage, without any prompt injection attempts or deceptive phrasing. The `scripts/tp.py` Python code uses only standard library modules, communicates exclusively with the official `tpapi.trainingpeaks.com` endpoint, and stores credentials (`cookie`, `token.json`, `config.json`) securely in `~/.trainingpeaks/` with `0o600` permissions. There is no evidence of data exfiltration to unauthorized destinations, malicious execution, persistence mechanisms, or other high-risk behaviors.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

If the cookie or token files are exposed, someone may be able to access the user's TrainingPeaks account data.

Why it was flagged

The skill requires a browser session cookie and stores both the cookie and derived bearer token persistently. This is disclosed and purpose-aligned, but those are sensitive account credentials.

Skill content
Find the cookie named `Production_tpAuth` ... `python3 scripts/tp.py auth "<paste_cookie_value_here>"` ... Bearer tokens are cached in `~/.trainingpeaks/token.json` ... Cookie lasts weeks; stored in `~/.trainingpeaks/cookie`
Recommendation

Use only on a trusted machine, do not share the cookie value, remove ~/.trainingpeaks if you stop using the skill, and re-authenticate or invalidate the session if the cookie may have leaked.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users must rely on the bundled artifact and registry trust rather than verifying the skill against an upstream project.

Why it was flagged

The registry metadata does not provide an upstream source or homepage, so users have limited provenance information for a script that handles a sensitive auth cookie.

Skill content
Source: unknown; Homepage: none
Recommendation

Review the included script before use and install only if you trust the publisher and registry source.