← Back to Skills Marketplace

Strava

Name: Strava
Author: bohdanpodvirnyi

by Bohdan Podvirnyi · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

2747

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install strava

Description

Load and analyze Strava activities, stats, and workouts using the Strava API

Usage Guidance

This skill appears to do what it says (call the Strava API and refresh tokens) but there are metadata inconsistencies and sensitive credential handling to consider before installing: - Metadata mismatch: the registry claims no required env vars but the SKILL.md and included script clearly need STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. Ask the publisher to correct the manifest so required permissions are explicit. - Secrets handling: the README/SKILL.md suggests storing tokens in ~/.clawdbot/clawdbot.json (plaintext). The included refresh_token.sh prints new tokens to stdout rather than securely storing them. Prefer setting secrets via environment variables or a secure secrets store; if you must use the config file, restrict its filesystem permissions (chmod 600). - Review the script before running: the refresh script is short and readable, but you should inspect it locally to confirm it only calls Strava and does not send data elsewhere. - Trust and provenance: the source is listed as unknown. Only provide your Strava client secret and refresh token to skills from publishers you trust. If you have doubts, create a Strava app with limited scope or a throwaway account for testing. If the publisher updates the registry metadata to accurately list required env vars and documents secure handling of tokens (or implements a safe automatic config update mechanism), the concerns would be reduced.

Capability Analysis

Type: OpenClaw Skill Name: strava Version: 1.0.0 The skill bundle is benign. It provides a legitimate integration with the Strava API, requiring standard OAuth credentials (STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET) for its stated purpose. All `curl` commands in SKILL.md and scripts/refresh_token.sh are directed at official Strava API endpoints. There is no evidence of data exfiltration beyond necessary API interaction, malicious execution (e.g., `curl|bash` from external sources), persistence mechanisms, obfuscation, or prompt injection attempts against the agent.

Capability Assessment

ℹ Purpose & Capability

The skill's name/description (Strava API access) matches what the files do: curl calls to Strava endpoints and a token-refresh helper. However, the registry metadata claims no required environment variables while SKILL.md (and the refresh script) require STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. The mismatch between declared registry requirements and actual runtime needs is an inconsistency to resolve.

ℹ Instruction Scope

Runtime instructions stay within the Strava API domain: they show how to call GET endpoints, how to refresh tokens, and how to store credentials in ~/.clawdbot/clawdbot.json or environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to non-Strava endpoints. Note: they do instruct storing sensitive tokens in a local config file (or printing them), which is a sensitive operation.

✓ Install Mechanism

There is no remote install step or downloaded code; this is instruction-only plus a small included script. That keeps the install risk low — nothing is fetched from arbitrary URLs or installed to system paths.

⚠ Credentials

The credentials requested by the SKILL.md and the refresh_token.sh (access token, refresh token, client id, client secret) are appropriate for a Strava integration, but the skill manifest/registry metadata does not declare them. Also SKILL.md metadata marks only STRAVA_ACCESS_TOKEN as primaryEnv while the script requires additional secrets. The skill suggests writing secrets to ~/.clawdbot/clawdbot.json (plaintext config) and the refresh script prints new tokens to stdout — both are sensitive practices and should be considered before use.

✓ Persistence & Privilege

The skill is not always:true and does not request system-level persistence beyond advising adding secrets to the Clawdbot config or environment variables. Autonomous invocation is allowed by default (not a unique privilege). The skill does not try to modify other skills' configs.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install strava
After installation, invoke the skill by name or use /strava
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release: Load and analyze Strava activities, stats, and workouts. Features OAuth token management, activity filtering, athlete stats, and rate limit handling.

Metadata

Slug strava

Version 1.0.0

License —

All-time Installs 11

Active Installs 11

Total Versions 1

Frequently Asked Questions

What is Strava?

Load and analyze Strava activities, stats, and workouts using the Strava API. It is an AI Agent Skill for Claude Code / OpenClaw, with 2747 downloads so far.

How do I install Strava?

Run "/install strava" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Strava free?

Yes, Strava is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Strava support?

Strava is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Strava?

It is built and maintained by Bohdan Podvirnyi (@bohdanpodvirnyi); the current version is v1.0.0.

More Skills