ClawHub

Fitbit Health Skill

v0.1.1

Query Fitbit health data (activity, sleep, heart rate, weight) via CLI. Use when answering health/fitness questions that require Fitbit data, or when the user asks about their steps, sleep, heart rate, or weight from Fitbit.

4· 1.8k·1 current·1 all-time
by@pb3975
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and code all align: the skill is a CLI for Fitbit data and explicitly requires a 'fitbit' binary. No unrelated services, env vars, or binaries are requested.
Instruction Scope
Runtime instructions are limited to registering a Fitbit app, running the CLI's configure/login commands, and reading/writing config and token files under ~/.config/fitbit-cli. The code only contacts Fitbit endpoints (api.fitbit.com and www.fitbit.com) and uses a local 127.0.0.1 callback for OAuth.
Install Mechanism
There is no provided install spec in the registry (instruction-only). The included package.json shows normal npm build/dev tooling and standard dependencies; no downloads from arbitrary URLs or extract/install behavior are present.
Credentials
The skill does not request environment variables or external credentials. It uses a user-provided Fitbit Client ID (configured via the CLI) and OAuth tokens stored in the user's home directory—appropriate and proportional for the stated functionality.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It stores tokens and config under ~/.config/fitbit-cli with file permissions set to 0600 and runs a local callback server bound to 127.0.0.1; these are standard for an OAuth CLI and do not indicate excessive privilege.
Assessment
This skill appears to do what it says: it performs OAuth (PKCE) with Fitbit, stores tokens locally (~/.config/fitbit-cli/tokens.json, chmod 600), and only calls Fitbit endpoints. Before installing, confirm you obtain the 'fitbit' CLI from a trusted source (the repository/package listed), supply your own Fitbit Client ID via dev.fitbit.com, and review the token/config files if you want to audit stored credentials. If you later want to revoke access, run the CLI's logout or revoke the app from your Fitbit account. If you prefer not to allow autonomous agent invocation, ensure your agent's policy restricts or prompts before calling external skills.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💪 Clawdis
Binsfitbit
latestvk97c5h1gw51nrazw1yvg8vvfa98013tv
1.8kdownloads
4stars
1versions
Updated 1mo ago
v0.1.1
MIT-0
@pb3975
latest
Download

Fitbit CLI

Retrieve health and fitness data from Fitbit's Web API.

Setup

  1. Register an app at https://dev.fitbit.com/apps
    • OAuth 2.0 Application Type: Personal
    • Callback URL: http://localhost:18787/callback
  2. Run fitbit configure and enter your Client ID
  3. Run fitbit login to authorize

Quick Reference

# Setup & auth
fitbit configure              # Set client ID (first time)
fitbit login                  # Authorize via browser
fitbit logout                 # Sign out
fitbit status                 # Check auth status

# Data
fitbit profile                # User profile info
fitbit activity [date]        # Daily activity summary
fitbit activity steps [date]  # Just steps
fitbit summary [date]         # Full daily summary
fitbit today                  # Today's summary (shortcut)

Options

All commands support:

  • --json — JSON output
  • --no-color — Plain text output
  • --verbose — Debug/HTTP details
  • --tz <zone> — Override timezone (e.g., America/Chicago)

Examples

# Get today's step count
fitbit activity steps

# Get yesterday's full summary as JSON
fitbit summary 2026-01-25 --json

# Check if authenticated
fitbit status

Notes

  • Dates default to today if omitted
  • Date format: YYYY-MM-DD or today
  • Tokens are stored in ~/.config/fitbit-cli/tokens.json (chmod 600)
  • Token refresh is automatic

Comments

Loading comments...