Coach Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The coaching content is coherent, but the Strava sync path asks the agent to run an unreviewed npm CLI with Strava secrets and persist two years of activity data.
Before using Strava sync, verify that the `claude-coach` npm package is trustworthy, understand that you will be providing Strava API secrets and OAuth data, and consider manual entry if you do not want two years of training history stored under `~/.claude-coach`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could end up executing unreviewed third-party code locally with access to their Strava credentials and activity history.
The instruction-only skill runs an external `claude-coach` package through `npx`; the package code, version pin, install spec, and provenance are not present in the artifacts, yet it handles credentials and synced user data.
npx claude-coach auth --client-id=CLIENT_ID --client-secret=CLIENT_SECRET ... npx claude-coach sync --days=730
Only use the Strava sync path if the `claude-coach` package source and version are trusted; the skill should pin and declare the package or include reviewed helper code.
The skill or its external CLI could gain continuing access to the user's Strava account data beyond the current chat session.
The skill asks for Strava API secrets and OAuth redirect data, exchanges them for tokens, and reuses cached tokens, while the registry metadata declares no primary credential.
"Now enter your Client Secret" ... "Exchange the code for access tokens" ... "This uses cached tokens"
Declare the Strava credential requirements and scopes clearly, avoid asking users to paste secrets into chat when possible, and document where tokens are stored and how to revoke them.
Personal training history remains on disk and may be reused in later coaching tasks if the database exists.
The skill persistently stores a broad Strava training-history database for later analysis; this is purpose-aligned but may include sensitive fitness, schedule, and heart-rate data.
Fetch 2 years of activity history ... Store everything in `~/.claude-coach/coach.db`
Use manual entry if privacy is a concern, and ensure the skill documents what data is stored, how long it is retained, and how to delete `~/.claude-coach/coach.db`.