← Back to Skills Marketplace

Ai Coach

Name: Ai Coach
Author: ciaefengye

by ciaefengye · GitHub ↗ · v3.2.0 · MIT-0

cross-platform ⚠ suspicious

167

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install triathlon-ai-coach

Description

根据你的比赛目标和身体状态，智能生成并动态调整个性化每日铁人三项训练计划，支持TrainingPeaks和Garmin数据同步。

Usage Guidance

This skill mostly does what it claims (generate daily triathlon plans using TrainingPeaks and Garmin), but it requires you to provide sensitive credentials and stores them in plaintext. Key concerns to consider before installing: - Hardcoded API keys: send_daily_plan.py contains an embedded IMA client id and API key. If those are valid, the skill can post notes to IMA using that account; if they are leaked or revoked you should rotate them. Ideally the skill should read IMA credentials from your local config (as the SKILL.md suggests) rather than embedding keys. - Plaintext credentials and token files: the code saves Garmin and TP credentials/tokens to local files (data/credentials.json, ~/.trainingpeaks/cookie, ~/.garmin_tokens, /tmp/garmin_test_token). That increases risk if other users/processes can read your filesystem. Prefer to store secrets in secure OS key stores or limit file permissions; inspect and, if possible, run in an isolated environment. - Instructions ask you to extract a TrainingPeaks cookie using browser devtools — this is sensitive and error-prone. Consider using official OAuth flows or TrainingPeaks API tokens instead. - Code/document mismatches and bugs: SKILL.md references a tp_client.py that is not present; tp_sync.py references an undefined AI_COACH_DIR; multiple modules hardcode a Python path (~/.miniconda3/bin/python3) and reference other skill directories. These indicate the package may be unmaintained or partially copied and could fail or behave unexpectedly. - Mitigations: review the code locally before running; remove or replace hardcoded IMA keys; avoid storing passwords/cookies in plaintext (use environment variables or OS secret stores, and set restrictive file permissions); run the skill in a sandboxed account or container; rotate any credentials you upload to or generate for this skill; verify/replace the external TrainingPeaks/IMA integration with official OAuth if possible. If you are not comfortable with these issues, do not install or run the skill with your real Garmin/TrainingPeaks credentials. If you decide to proceed, audit and modify the code to eliminate hardcoded secrets and to secure credential storage first.

Capability Analysis

Type: OpenClaw Skill Name: triathlon-ai-coach Version: 3.2.0 The skill bundle handles highly sensitive credentials, including Garmin passwords and TrainingPeaks authentication cookies, storing them in local files (e.g., data/credentials.json) or environment variables. It also contains hardcoded API credentials for the IMA service in scripts/send_daily_plan.py and utilizes risky execution patterns like os.popen and subprocess.run in scripts/tp_sync.py and scripts/plan_engine.py. While these capabilities are aligned with the stated purpose of a triathlon coach, the insecure management of secrets and use of shell-calling functions represent significant security vulnerabilities.

Capability Tags

requires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

Name/description match the code: modules sync TrainingPeaks and Garmin and generate plans. However there are unexpected items: a hardcoded IMA client id/API key in send_daily_plan.py (not mentioned in manifest as a required credential), references to another skill directory (trainingpeaks-skill) and to ~/.openclaw workspace, and use of local files to store credentials—some of these are plausible but not fully justified by the SKILL.md.

⚠ Instruction Scope

SKILL.md tells users to extract a TrainingPeaks cookie via browser devtools and to save Garmin credentials; code implements those flows. But SKILL.md calls a tp_client.py verification command that is not present in the file manifest (missing file). SKILL.md references reading/storing cookies and token dirs; code reads/writes multiple credential/token files (e.g. ~/.trainingpeaks/cookie, data/credentials.json, ~/.garmin_tokens, /tmp/garmin_test_token, and cache under ~/.openclaw). The instructions and code both direct collection and persistent storage of sensitive authentication material (cookies, cleartext passwords, tokens).

ℹ Install Mechanism

No install spec (instruction-only install), so no remote downloads are performed by an installer; that's lower risk. The code depends on external Python packages (garminconnect, garth) installed via pip per SKILL.md — expected for purpose. However the code assumes a specific Python at ~/.miniconda3/bin/python3 and executes other local scripts via subprocess/os.popen which can be brittle and surprising.

⚠ Credentials

Registry metadata declares no required env vars, but runtime expects/suggests storing secrets in files or env vars (TP cookie file or TP_AUTH_COOKIE env var; GARMIN_EMAIL/GARMIN_PASSWORD env vars or user_config.json). Code also contains a hardcoded IMA_CLIENTID and IMA_APIKEY embedded in send_daily_plan.py — those are sensitive and not explained. Credentials are saved in plaintext under skill data directories and tmp files; this level of persistent credential access is significant and should be justified explicitly.

⚠ Persistence & Privilege

Skill writes and reads persistent files (credential files, token caches, activity and cache JSONs) under multiple locations (~/.trainingpeaks, ~/.garmin_tokens, skill 'data/' directory, /tmp/garmin_test_token, ~/.openclaw workspace path). It also references and updates config.json in the skill directory. always:false (not force-included) and autonomous invocation allowed (platform default). Persisting credentials and tokens across runs increases blast radius if those files are compromised.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install triathlon-ai-coach
After installation, invoke the skill by name or use /triathlon-ai-coach
Provide required inputs per the skill's parameter spec and get structured output

Version History

v3.2.0

v3.2.0: TP+Garmin 铁三训练教练，支持每日训练计划生成/推送、训练复盘、Garmin 健康数据分析。账号信息改为 user_config.json / 环境变量配置，无硬编码凭证

v3.1.1

v3.1.1: 移除硬编码账号密码，改为 user_config.json 或环境变量配置；移除绝对路径；清理个人数据

v3.1.0

v3.1.0: 重构代码架构，新增复盘板块，修复Garmin/garth API兼容性，修复日期硬编码Bug，CTL/TSB小数位优化，计划去重逻辑

v3.0.1

v3.0.1: 清理缓存文件，移除健康数据缓存，添加.gitignore保护隐私

v3.0.0

v3.0: 1)晚间推送加入Garmin健康数据(睡眠/准备度/HRV/压力) 2)新增今日已完成训练详细点评功能 3)cron推送指令升级，自动综合TP+Garmin双源数据

v1.3.1

Bug fixes: intensity_factor null check, tp_client import path fix. Added get_plan_title() for auto-generating note titles.

v1.3.0

Security fix: integrated TP client (tp_client.py), removed external skill dependency (subprocess calls), cleaned credentials handling, removed paid contact info from SKILL.md

v1.2.0

v1.2.0 - 训练点评详细版：显示时长、距离、心率区间、IF、TSS，综合建议

v1.1.0

v1.1.0 - 新增两种推送模式（晚间/早晨）、TP训练完成点评、当天训练分析

v1.0.1

1.0.1 - 完善订阅模式说明，高级版¥19/月，微信联系 ciaefengye 解锁

v1.0.0

v1.0.0 - 初始版本：支持TP/Garmin双数据源，动态比赛配置，每日训练计划

Metadata

Slug triathlon-ai-coach

Version 3.2.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 11

Frequently Asked Questions

What is Ai Coach?

根据你的比赛目标和身体状态，智能生成并动态调整个性化每日铁人三项训练计划，支持TrainingPeaks和Garmin数据同步。 It is an AI Agent Skill for Claude Code / OpenClaw, with 167 downloads so far.

How do I install Ai Coach?

Run "/install triathlon-ai-coach" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Ai Coach free?

Yes, Ai Coach is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Ai Coach support?

Ai Coach is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Ai Coach?

It is built and maintained by ciaefengye (@ciaefengye); the current version is v3.2.0.

More Skills