TrainingPeaks
v1.0.1Pull real-time training plans, workouts, fitness metrics (CTL/ATL/TSB), and personal records from TrainingPeaks. Uses cookie-based authentication (no API key needed). Use in conjunction with other endurance, cycling, running or swimming triathlon coach skills for best results.
⭐ 4· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the implementation: the code calls tpapi.trainingpeaks.com endpoints to fetch profile, workouts, fitness, and PRs. No extraneous services, binaries, or credentials are requested. The functionality a TrainingPeaks scraper/CLI would need (cookie → token exchange, API requests, local cache) is present and appropriate.
Instruction Scope
SKILL.md explicitly instructs the user to copy the Production_tpAuth browser cookie (or set TP_AUTH_COOKIE) and run the included Python CLI. That is necessary for this cookie-based approach, but it requires the user to expose a sensitive session cookie. The instructions do not request or read unrelated files or other credentials. The skill stores the cookie and token in ~/.trainingpeaks (described in the docs).
Install Mechanism
There is no install spec and the single Python script is included in the bundle. The script uses only Python stdlib (urllib, json, pathlib, etc.) and performs no external downloads or package installs; this is low-risk from an install perspective.
Credentials
The skill declares no required env vars; TP_AUTH_COOKIE is optional and is reasonable for CI/use. No unrelated secrets or high-privilege environment variables are requested. Local storage of cookie/token in ~/.trainingpeaks is the only persistence of credentials.
Persistence & Privilege
The skill does persist credentials and tokens to ~/.trainingpeaks with attempted 0600 permissions (as stated). always is false and autonomous invocation is allowed (platform default). Because the skill handles an account session cookie, you should be mindful of allowing autonomous invocation if you don't want the agent to use that cookie without explicit prompts.
Assessment
This skill appears to do what it says, but it requires you to copy/paste your TrainingPeaks session cookie (Production_tpAuth) — a long-lived secret that grants access to your account. Only paste that cookie into this tool if you trust the skill and the environment where the agent runs. Recommendations before installing: 1) Review the included scripts/tp.py (already done) — it only talks to https://tpapi.trainingpeaks.com and stores data under ~/.trainingpeaks. 2) If you proceed, store the cookie only on a trusted machine, or use the TP_AUTH_COOKIE env var for short-lived CI runs. 3) To revoke local access, delete ~/.trainingpeaks (cookie, token.json, config.json). 4) Prefer official API keys if TrainingPeaks offers them — copying a session cookie is more sensitive. 5) Note the package source is anonymous (no homepage/unknown owner); if you have concerns about provenance, run the script in an isolated environment (container/VM) or avoid using it.Like a lobster shell, security has layers — review code before you run it.
latestvk978xr5h2yjgaxyvt77ce6af5d80gtyx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.