Fulcra Context

v1.2.0

Access your human's personal context data (biometrics, sleep, activity, calendar, location) via the Fulcra Life API and MCP server. Requires human's Fulcra account + OAuth2 consent.

⭐ 1· 1.7k·0 current·0 all-time

by@arc-claw-bot

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name/description (access Fulcra personal data) matches what it requests (FULCRA_ACCESS_TOKEN) and the included code calls the Fulcra API. However, the registry metadata only declares 'curl' as a required binary while SKILL.md and the included script expect python3/pip (and use of npx/uvx for MCP server integration). That mismatch is an implementation oversight that could surprise users but is not by itself malicious.

ℹ

Instruction Scope

SKILL.md stays on-topic: it describes obtaining an OAuth2 token, storing it locally, using it in API calls to api.fulcradynamics.com, and running the provided fulcra_auth.py for device flow and refresh. It does instruct storing tokens to ~/.config/fulcra/token.json and printing tokens into the environment for piping (export FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)). Those behaviors are expected for this purpose but raise operational risk: the token-printing/cron-refresh pattern increases the chances of accidental token exposure if logs, backups, or shared shells capture the token. The skill does not instruct reading unrelated system files or sending data to domains other than the Fulcra endpoints and the Auth0 domain.

ℹ

Install Mechanism

There is no install spec (instruction-only) and the repository includes the Python script locally, so nothing unknown is automatically downloaded by the skill itself. SKILL.md references pip install fulcra-api and using npx/uvx to run an MCP server; those commands can pull network code at install/run-time if the user follows them. That is a normal developer flow but the user should be aware that npx/uvx will fetch remote packages when invoked.

✓

Credentials

Only a single primary credential is declared (FULCRA_ACCESS_TOKEN), which is appropriate for the stated purpose. The included code stores both access and refresh tokens locally to support silent refresh; that is proportionate for an OAuth2 client but increases the persistence of access (refresh tokens allow long-lived access) and thus should be considered a sensitive secret.

✓

Persistence & Privilege

The skill does not request always:true or system-wide privileges. It writes token state to its own config path (~/.config/fulcra/token.json) and does not modify other skills' configs. The autonomous invocation default is allowed but not combined with elevated privileges here.

What to consider before installing

This skill appears to do what it says (connect to Fulcra and read personal metrics), but before installing you should: 1) Verify you trust the Fulcra project and the referenced GitHub/MCP endpoints; 2) Confirm you have Python3 and pip if you plan to use the included script (the registry only listed 'curl' which is incomplete); 3) Understand that the included script stores a refresh_token locally (~/.config/fulcra/token.json) and can refresh access without a human — treat that file as highly sensitive and ensure file permissions and backups are protected; 4) Avoid placing token output into logs or shared shells (the helper can print the token for piping — this is convenient but risky); 5) If you deploy a cron job to auto-refresh, ensure the cron environment can't leak the token to other users or uploads; 6) Prefer least-privilege (only request the metrics you need) and be ready to revoke the refresh token from your Fulcra account if you suspect compromise. If you need higher assurance, ask the maintainer for a formal provenance link (official repository release/tag) and a reproducible install spec that lists all required binaries.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🫀 Clawdis

Binscurl

Primary envFULCRA_ACCESS_TOKEN

latestvk97498832340xbcdss54aeys0980be56

1.7kdownloads

1stars

3versions

Updated 1mo ago

v1.2.0

MIT-0

Fulcra Context — Personal Data for AI Partners

Give your agent situational awareness. With your human's consent, access their biometrics, sleep, activity, location, and calendar data from the Fulcra Life API.

What This Enables

With Fulcra Context, you can:

Know how your human slept → adjust morning briefing intensity
See heart rate / HRV trends → detect stress, suggest breaks
Check location → context-aware suggestions (home vs. office vs. traveling)
Read calendar → proactive meeting prep, schedule awareness
Track workouts → recovery-aware task scheduling

Privacy Model

OAuth2 per-user — your human controls exactly what data you see
Their data stays theirs — Fulcra stores it, you get read access only
Consent is revocable — they can disconnect anytime
NEVER share your human's Fulcra data publicly without explicit permission

Setup

Option 1: MCP Server (Recommended)

Use Fulcra's hosted MCP server at https://mcp.fulcradynamics.com/mcp (Streamable HTTP transport, OAuth2 auth).

Your human needs a Fulcra account (free via the Context iOS app or Portal).

Claude Desktop config (claude_desktop_config.json):

{
  "mcpServers": {
    "fulcra_context": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.fulcradynamics.com/mcp"]
    }
  }
}

Or run locally via uvx:

{
  "mcpServers": {
    "fulcra_context": {
      "command": "uvx",
      "args": ["fulcra-context-mcp@latest"]
    }
  }
}

Also tested with: Goose, Windsurf, VS Code. Open source: github.com/fulcradynamics/fulcra-context-mcp

Option 2: Direct API Access

Your human creates a Fulcra account
They generate an access token via the Python client or Portal
Store the token: skills.entries.fulcra-context.apiKey in openclaw.json

Option 3: Python Client (Tested & Proven)

pip3 install fulcra-api

from fulcra_api.core import FulcraAPI

api = FulcraAPI()
api.authorize()  # Opens device flow — human visits URL and logs in

# Now you have access:
sleep = api.metric_samples(start, end, "SleepStage")
hr = api.metric_samples(start, end, "HeartRate")
events = api.calendar_events(start, end)
catalog = api.metrics_catalog()

Save the token for automation:

import json
token_data = {
    "access_token": api.fulcra_cached_access_token,
    "expiration": api.fulcra_cached_access_token_expiration.isoformat(),
    "user_id": api.get_fulcra_userid()
}
with open("~/.config/fulcra/token.json", "w") as f:
    json.dump(token_data, f)

Token expires in ~24h. Use the built-in token manager for automatic refresh (see below).

Token Lifecycle Management

The skill includes scripts/fulcra_auth.py which handles the full OAuth2 lifecycle — including refresh tokens so your human only authorizes once.

# First-time setup (interactive — human approves via browser)
python3 scripts/fulcra_auth.py authorize

# Refresh token before expiry (automatic, no human needed)
python3 scripts/fulcra_auth.py refresh

# Check token status
python3 scripts/fulcra_auth.py status

# Get current access token (auto-refreshes if needed, for piping)
export FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)

How it works:

authorize runs the Auth0 device flow and saves both the access token AND refresh token
refresh uses the saved refresh token to get a new access token — no human interaction
token prints the access token (auto-refreshing if expired) — perfect for cron jobs and scripts

Set up a cron job to keep the token fresh:

For OpenClaw agents, add a cron job that refreshes the token every 12 hours:

python3 /path/to/skills/fulcra-context/scripts/fulcra_auth.py refresh

Token data is stored at ~/.config/fulcra/token.json (permissions restricted to owner).

Quick Commands

Check sleep (last night)

# Get time series for sleep stages (last 24h)
curl -s "https://api.fulcradynamics.com/data/v0/time_series_grouped?metrics=SleepStage&start=$(date -u -v-24H +%Y-%m-%dT%H:%M:%SZ)&end=$(date -u +%Y-%m-%dT%H:%M:%SZ)&samprate=300" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Check heart rate (recent)

curl -s "https://api.fulcradynamics.com/data/v0/time_series_grouped?metrics=HeartRate&start=$(date -u -v-2H +%Y-%m-%dT%H:%M:%SZ)&end=$(date -u +%Y-%m-%dT%H:%M:%SZ)&samprate=60" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Check today's calendar

curl -s "https://api.fulcradynamics.com/data/v0/{fulcra_userid}/calendar_events?start=$(date -u +%Y-%m-%dT00:00:00Z)&end=$(date -u +%Y-%m-%dT23:59:59Z)" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Available metrics

curl -s "https://api.fulcradynamics.com/data/v0/metrics_catalog" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Key Metrics

Metric	What It Tells You
SleepStage	Sleep quality — REM, Deep, Light, Awake
HeartRate	Current stress/activity level
HRV	Recovery and autonomic nervous system state
StepCount	Activity level throughout the day
ActiveCaloriesBurned	Exercise intensity
RespiratoryRate	Baseline health indicator
BloodOxygen	Wellness check

Integration Patterns

Morning Briefing

Check sleep + calendar + weather → compose a briefing calibrated to energy level.

Stress-Aware Communication

Monitor HRV + heart rate → if elevated, keep messages brief and non-urgent.

Proactive Recovery

After intense workout or poor sleep → suggest lighter schedule, remind about hydration.

Travel Awareness

Location changes → adjust timezone handling, suggest local info, modify schedule expectations.

Demo Mode

For public demos (VC pitches, livestreams, conferences), enable demo mode to swap in synthetic calendar and location data while keeping real biometrics.

Activation

# Environment variable (recommended for persistent config)
export FULCRA_DEMO_MODE=true

# Or pass --demo flag to collect_briefing_data.py
python3 collect_briefing_data.py --demo

What changes in demo mode

Data Type	Demo Mode	Normal Mode
Sleep, HR, HRV, Steps	✅ Real data	✅ Real data
Calendar events	🔄 Synthetic (rotating schedules)	✅ Real data
Location	🔄 Synthetic (curated NYC spots)	✅ Real data
Weather	✅ Real data	✅ Real data