Coach Skill
v1.0.0Create personalized triathlon, marathon, and ultra-endurance training plans. Use when athletes ask for training plans, workout schedules, race preparation, or coaching advice. Can sync with Strava to analyze training history, or work from manually provided fitness data. Generates periodized plans with sport-specific workouts, zones, and race-day strategies.
⭐ 6· 2.2k·3 current·3 all-time
by@shiv19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and extensive reference materials are coherent with creating endurance training plans and analyzing Strava/manually-provided data. However, the SKILL.md instructs use of an external CLI (npx claude-coach) to fetch and store Strava history even though no code or install spec is included in the bundle — this is a capability mismatch (the skill claims runtime behavior it does not contain).
Instruction Scope
Instructions ask the agent/user to read/write a local DB (~/.claude-coach/coach.db) and to run npx claude-coach auth/sync with user-provided Client ID/Secret and pasted redirect URLs. Reading/writing a per-user DB and performing OAuth are reasonable for this purpose, but the instructions explicitly direct execution of an external npm package not bundled with the skill — that step can execute arbitrary remote code and may exfiltrate secrets or local files.
Install Mechanism
There is no install spec or packaged code. The SKILL.md relies on invoking 'npx claude-coach', which implicitly downloads and executes code from the npm registry at runtime. That is a high-risk implicit install pattern (arbitrary remote code execution) and is not documented/verified in the bundle.
Credentials
The skill does not declare required environment variables; it instead prompts the user interactively for Strava Client ID/Secret and stores tokens in ~/.claude-coach/coach.db. Asking for Strava credentials is proportionate to the stated Strava integration, but the credentials are requested free-form (via AskUserQuestion) and could be passed to an externally downloaded CLI — the lack of declared secrets in metadata and the ad-hoc handling are worth caution.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only asks to create/use a per-user DB (~/.claude-coach). That local file usage is reasonable for caching training data. There is no indication it requests system-wide privileges or modifies other agent settings.
Scan Findings in Context
[no_code_files_present] unexpected: The bundle contains only documentation and SKILL.md (instruction-only). For an instruction-only coaching skill that only provides guidance, this is fine; however, the SKILL.md instructs running 'npx claude-coach' (an external package). The absence of any packaged CLI or install specification combined with instructions to download/execute code is unexpected and therefore not appropriate for the claimed runtime behavior.
What to consider before installing
This skill's content (training plans, SQL queries, zone logic) is coherent for a coach assistant. The red flag is that the runtime docs tell users/agents to run 'npx claude-coach' to perform OAuth and sync Strava data, but the bundle does not include that code or an install manifest. Running npx will fetch and execute arbitrary code from the npm registry — that can exfiltrate secrets or read/write local files. Before installing or following the auth flow, consider: 1) Prefer manual data entry if you don't trust running remote code. 2) Ask the publisher for the authoritative package name, homepage, and source code (verify the npm package, its maintainer, and its code). 3) If you must use Strava, use Strava's official OAuth flow and avoid pasting your client secret into commands you didn't verify. 4) Inspect any ~/.claude-coach/coach.db created by the tool and ensure it only contains expected activity data. 5) If you don't have the technical ability to verify an npm package, treat the implicit npx step as risky and avoid running it.Like a lobster shell, security has layers — review code before you run it.
latestvk970b3s0k8ga0ffqgq7x3qh6bs7yzvr2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.