v1.0.5

FTPilot

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:10 AM.

Analysis

FTPilot is coherent for an Intervals.icu cycling-coach skill, but it needs an API key and can read wellness/training data and create workout events.

GuidanceInstall only if you are comfortable granting Intervals.icu access to the configured MCP tools. Verify the tool provider/source, protect the API key, and review any workout events before they are created in your calendar.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

`ftpilot.create_event` | Create workout plans

The skill exposes a tool that can create training events in the user's Intervals.icu account. This is aligned with the stated purpose, but it is a persistent account mutation.

User impactIf used, the agent may add workouts or plans to the user's training calendar.

RecommendationConfirm the planned workout details before allowing event creation, especially for multi-day or recurring plans.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The reviewed artifact does not identify a source repository or homepage for the MCP tooling referenced by the skill.

User impactThe SKILL.md is understandable, but the actual MCP implementation is not represented in the provided artifacts.

RecommendationBefore entering credentials, verify the MCP package/tool source and install path in your local configuration.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

"requires": { "bins": ["npx"], "env": ["INTERVALS_API_KEY", "INTERVALS_ATHLETE_ID"] }

The skill requires an Intervals.icu API key and athlete ID, which are expected for this integration but still represent delegated account access.

User impactAnyone installing it must provide credentials that allow the configured tools to access the user's Intervals.icu account data.

RecommendationUse the least-privileged Intervals.icu credential available, keep it out of shared logs/prompts, and revoke or rotate it if the skill is no longer used.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

Use mcporter to call FTPilot MCP tools for data-driven coaching.

The skill routes coaching requests through MCP tools, including tools that retrieve athlete, wellness, activity, and calendar data.

User impactSensitive training and wellness information such as HRV, sleep, fatigue, FTP, and ride details may be handled by the configured MCP tool provider.

RecommendationOnly connect this skill to MCP tooling you trust, and review the provider's handling of Intervals.icu data before supplying credentials.