Wahoo Skill
PassAudited by ClawScan on May 13, 2026.
Overview
The skill appears purpose-aligned for syncing Wahoo workouts, but it grants ongoing Wahoo OAuth access and stores sensitive GPS and health workout data locally.
Install this if you are comfortable giving a local agent ongoing read access to your Wahoo data. Use minimum OAuth scopes, protect ~/.openclaw/secrets and the training workspace with restrictive permissions, avoid sharing token/setup output or the generated DB/FIT files, and revoke/delete tokens when you stop using it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When asked to sync, the agent can contact Wahoo, download FIT files, and update the local training database.
The skill gives agents a direct command to run a network sync that downloads workouts and updates a local SQLite database. This is central to the stated purpose, but users should notice that invoking it mutates local files and may run for a long time on first sync.
"Sync my Wahoo workouts" / "Pull new rides" | `python3 {baseDir}/scripts/fetch_workouts.py` ... The fetch script is **idempotent** — safe to run on a heartbeat.Invoke syncing deliberately, keep the training directory private, and avoid scheduling repeated syncs unless you want ongoing local updates.
A configured agent can continue reading Wahoo workout/profile data using the stored refresh token; exposure of the token or secrets file could expose account data.
The skill uses delegated Wahoo account access, stores/loads local credentials, and can refresh access without another browser approval. This is expected for Wahoo syncing but grants continuing read access until revoked.
OAuth2 with the `offline_data` scope yields a long-lived refresh token; access tokens expire after ~2 hours and the skill auto-refreshes on 401. ... `wahoo_auth.py` automatically reads them from `~/.openclaw/secrets/wahoo.env`
Use the minimum Wahoo scopes, store secrets only in local protected files, restrict access to ~/.openclaw/secrets, and revoke the Wahoo app/token if you stop using the skill.
Installing the dependency trusts the PyPI package and the version selected by pip.
The skill depends on a third-party PyPI package installed manually with a version range and no lockfile or hash pinning. This is purpose-aligned for FIT parsing but is a supply-chain point users should recognize.
pip install --user 'fitparse>=1.2,<2' ... (`fitparse` is the only Python dependency. `curl` is needed for the shell refresh helper.)
Install dependencies from a trusted environment, consider pinning an exact reviewed fitparse version, and keep package sources under normal supply-chain hygiene.
Your ride locations, heart-rate, power, device information, and workout history may remain available on disk for future queries.
The skill intentionally creates persistent local data stores containing sensitive location and health/training telemetry. This is core to the product, but future agents or local users with file access could read it.
The local `wahoo.db` and `wahoo_fit/` directory contain GPS, heart-rate, and power history. They inherit your training-dir permissions ... Tighten with `chmod 700 ~/.openclaw/workspace/training`
Use a private training directory, apply restrictive permissions such as chmod 700, and avoid sharing the SQLite database or FIT files unless intended.