ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FTPilot

v1.0.5

AI-powered endurance cycling coach using Intervals.icu data. Use when the user asks about cycling training, FTP, power zones, workout planning, fitness statu...

0· 75·0 current·0 all-time
by@yuai007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Intervals.icu coach) aligns with the two required environment variables (INTERVALS_API_KEY, INTERVALS_ATHLETE_ID). Requiring an Intervals API key and athlete id is proportionate for this purpose. However, the skill also requires the npx binary and instructs the agent to 'Use mcporter to call FTPilot MCP tools' while providing no code or install instructions for mcporter or those tools — this is an ambiguity (not obviously malicious, but unexpected).
Instruction Scope
SKILL.md stays focused on coaching tasks (fetch athlete, wellness, activities, power curve, create events). It does not instruct reading arbitrary files, other env vars, or sending data to unrelated endpoints. It does include strict rules for risk control and output format and explicitly allows creating events (i.e., write actions) via Intervals, which is consistent with the stated capability.
Install Mechanism
Instruction-only skill with no install spec (low install risk). But it declares npx as a required binary and references mcporter (an npm-based runner) without providing an install or source for mcporter — this is an implementation gap: either mcporter is expected to be available via npx (npx <pkg>), or the platform must provide it. The lack of clarity about where the runtime tool comes from is a practical concern.
Credentials
Only INTERVALS_API_KEY and INTERVALS_ATHLETE_ID are required — these are proportional for accessing Intervals.icu. There are no unrelated credentials requested. Note: the skill can create events (write action) — the user should confirm the API key's scope (read vs read/write) before providing it.
Persistence & Privilege
Skill does not request persistent/system privileges (always:false, no config paths). It is user-invocable and can be invoked autonomously by the model (platform default) but does not force always-on presence.
What to consider before installing
This skill looks coherent with its stated purpose (Intervals.icu coaching) and only asks for Intervals-specific credentials. However, it is instruction-only and references mcporter (invoked via npx) and a set of runtime 'tools' without providing code or an install path — ask the publisher or platform: (1) how are the ftpilot.* tool calls implemented and where does mcporter come from (npx package name/version)? (2) does the Intervals API key you will supply have read-only or write permissions? The skill can create events (write action) so prefer a read-only key if possible. If you proceed, ensure the API key is scoped minimally, and verify on a test athlete/account first. If you cannot confirm the mcporter implementation or the platform mapping of the declared tools, treat the skill as incomplete and avoid giving high-privilege keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f14d0gehvengesht1r2dzhs83h112

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚴 Clawdis
Binsnpx
EnvINTERVALS_API_KEY, INTERVALS_ATHLETE_ID

Comments