ClawHub

Fitbit

v0.1.0

Query Fitbit health data including sleep, heart rate, activity, SpO2, and breathing rate. Use when user asks about their fitness, sleep quality, steps, or health metrics.

2· 2.4k·6 current·6 all-time
byMatt Russell@mjrussell
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly intends to query Fitbit data via a 'fitbit-cli' binary which is coherent with the stated purpose. However, the registry metadata at the top lists no required binaries or credentials while the SKILL.md front-matter declares requires: bins: ['fitbit-cli']. That mismatch (and the lack of any declared OAuth/client credentials) is unexplained.
Instruction Scope
Runtime instructions are narrowly scoped to running fitbit-cli commands (read-only queries and an '--init-auth' flow). The instructions do not tell the agent to read unrelated files or send data to unexpected endpoints, but they omit details on how authentication works and where tokens/config are stored.
!
Install Mechanism
There is no install spec and no source for the 'fitbit-cli' binary. If the binary is required, the skill should document where to obtain a trusted release. Absence of provenance increases risk because a user/agent might install an untrusted binary.
!
Credentials
The skill declares no required environment variables or primary credential, yet accessing Fitbit data normally requires OAuth tokens or API credentials. The SKILL.md mentions 'tokens auto-refresh' and '--init-auth' but does not declare what environment variables or config paths will be used, which is disproportionate and leaves unclear where sensitive tokens live.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It likely will cause the CLI to store tokens locally (auto-refresh), which is expected behavior but should be documented (storage location, file permissions, token lifetime).
What to consider before installing
Before installing or using this skill, ask the publisher: (1) Where does the 'fitbit-cli' binary come from — provide a trusted download or package source (official repo, GitHub release, signed package). (2) How does authentication work: what OAuth client/app is used, what scopes are requested, will tokens be stored locally, and where (path & file permissions)? (3) Which environment variables or config files does the CLI use (declare them in the skill metadata)? If you can't verify the CLI's provenance and inspect its install/auth flow, avoid installing it or only run it in a restricted environment. If you proceed, prefer official/verified releases, check token storage, and be ready to revoke Fitbit app tokens if you suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💪 Clawdis
Binsfitbit-cli
latestvk973ed6dbw43xa2srtm85g2skn7yva4w
2.4kdownloads
2stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
Matt Russell@mjrussell
latest
Download

Fitbit CLI

Query health and fitness data from Fitbit wearables.

Commands

Health Data

# Sleep logs (deep, light, REM, awake times)
fitbit-cli -s                    # today
fitbit-cli -s yesterday          # yesterday
fitbit-cli -s last-week          # last 7 days
fitbit-cli -s 2026-01-01         # specific date

# Heart rate time series
fitbit-cli -e                    # today
fitbit-cli -e last-week          # last 7 days

# Blood oxygen (SpO2)
fitbit-cli -o                    # today
fitbit-cli -o last-3-days        # last 3 days

# Active Zone Minutes
fitbit-cli -a                    # today
fitbit-cli -a last-month         # last month

# Breathing rate
fitbit-cli -b                    # today

# Daily activity (steps, calories, distance, floors)
fitbit-cli -t                    # today
fitbit-cli -t yesterday          # yesterday

Account & Devices

# User profile
fitbit-cli -u

# Connected devices (battery, sync status)
fitbit-cli -d

Date Formats

  • No parameter: today
  • Specific date: 2026-01-05
  • Date range: 2026-01-01,2026-01-05
  • Relative: yesterday, last-week, last-month
  • Custom relative: last-2-days, last-3-weeks, last-2-months

Usage Examples

User asks "How did I sleep last night?"

fitbit-cli -s yesterday

User asks "What's my heart rate been like this week?"

fitbit-cli -e last-week

User asks "How many steps today?"

fitbit-cli -t

User asks "Show my SpO2 levels"

fitbit-cli -o

User asks "Is my Fitbit synced?"

fitbit-cli -d

User asks "How active was I last month?"

fitbit-cli -a last-month

Notes

  • Read-only access to Fitbit data
  • Tokens auto-refresh (expire after 8 hours)
  • Data may be delayed from device sync
  • First-time setup: fitbit-cli --init-auth

Comments

Loading comments...