Wahoo Skill
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent can pull the user's Wahoo workout history and create or update local training files.
The skill instructs an agent to run a local script that performs authenticated API calls, downloads FIT files, and writes local SQLite data. This is expected for the skill's purpose, but users should understand the command has real data-access and file-write effects.
"Sync my Wahoo workouts" / "Pull new rides" | `python3 {baseDir}/scripts/fetch_workouts.py`Only invoke sync when you want the agent to fetch workout data, and review the configured training directory if the computer is shared.
Anyone with access to the token file or configured client credentials may be able to read Wahoo workout/profile data until access is revoked.
The skill uses OAuth credentials and a long-lived refresh token to access Wahoo account data. This is necessary for ongoing workout sync, but it is sensitive delegated access.
OAuth2 with the `offline_data` scope yields a long-lived refresh token; access tokens expire after ~2 hours and the skill auto-refreshes on 401.
Use only the minimum Wahoo scopes needed, keep token and secret files private, and revoke the Wahoo app/token if you stop using the skill.
Installing the dependency runs third-party package code in the user's Python environment.
The skill relies on an external Python package installed manually rather than through a locked install spec. The dependency is directly related to parsing FIT files and no automatic remote install script is shown.
pip install --user 'fitparse>=1.2,<2'
Install dependencies from a trusted package index or audited environment, and consider pinning an exact version if reproducibility matters.
Workout routes, timestamps, heart-rate, power, device, and profile-related data may remain on disk after sync.
The skill creates persistent local stores of sensitive fitness and location telemetry that future agent sessions or local users may be able to query.
The local `wahoo.db` and `wahoo_fit/` directory contain GPS, heart-rate, and power history.
Store the training directory in a private location, restrict permissions on shared machines, and delete the database/FIT files if you no longer need local history.