← 返回 Skills 市场
274
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install runstr-analytics
功能描述
Advanced RUNSTR fitness analytics with trend analysis, performance insights, training recommendations, and correlation tracking. Analyzes workout history, ha...
安全使用建议
This skill does what it says (fetch and analyze RUNSTR backups), but there are important inconsistencies and secret-handling risks you should address before installing:
- Do not paste your Nostr private key (nsec1...) into a chat message. The SKILL.md suggests doing this, which risks the key being stored or transmitted by the agent. Prefer supplying secrets only via secure 1) environment variables, 2) stdin, or 3) temporary files with strict permissions — but see next points.
- The README claims the key is passed via stdin to avoid exposure, but multiple scripts (analyze.py, analyze_light.py, daily_update.sh) pass the nsec on the command line or forward it as a --nsec argument, which exposes it in process listings (ps) and to other system monitoring. If you plan to use this, inspect and modify the code so all calls use stdin (the extended script already does this) or other safe mechanisms.
- The registry metadata at the top is inconsistent: it lists no required env vars, but _meta.json and SKILL.md require RUNSTR_NSEC. Treat RUNSTR_NSEC as required and verify how you will store/enter it. Avoid putting secrets in crontab or plain-text startup files. Cron jobs typically do not inherit your interactive environment; storing the key in files that cron reads will persist the secret — consider using a secure secret manager or run the job from a user-level systemd service with restricted environment instead.
- The install steps use a Go package to install 'nak' (github.com/fiatjaf/nak) and pip for analytics libs — confirm you trust those sources. 'nak' is necessary to read/decrypt Nostr data, but installing arbitrary CLI tools should be done from trusted releases.
- If you want to proceed: (1) prefer running the extended script which uses stdin for nak.decode; (2) edit analyze.py and analyze_light.py to use stdin for secret input; (3) avoid pasting secrets into chat and avoid placing RUNSTR_NSEC in crontab or unencrypted files; (4) ensure the cache location is on encrypted disk if you are concerned about local data disclosure.
If you are not comfortable auditing or modifying the scripts, treat this skill as risky and consider not installing it.
功能分析
Type: OpenClaw Skill
Name: runstr-analytics
Version: 1.0.1
The skill handles highly sensitive Nostr private keys (nsec) and decrypted personal fitness/journal data, which are high-risk behaviors. While the documentation in SKILL.md and scripts/analyze_extended.py claims to handle the nsec securely via stdin to prevent exposure in process lists, the implementation actually accepts the nsec as a command-line argument in all Python scripts and the daily_update.sh script, creating a significant information exposure vulnerability. Additionally, the skill lists 'requests' as a dependency in _meta.json and SKILL.md but never utilizes it in the code, and it sets up persistence via a cron job (setup_cron.sh) to automate data fetching and local caching in a SQLite database.
能力评估
Purpose & Capability
The name/description (RUNSTR analytics) align with the code and dependencies: it fetches encrypted RUNSTR backups from Nostr relays, decrypts them using a Nostr private key, analyzes workouts, and caches results. The required binary 'nak' and Python packages (pandas/numpy/scipy/requests) are appropriate for this purpose. However, registry metadata at the top listed no required environment variables while _meta.json and SKILL.md both declare RUNSTR_NSEC as required — an inconsistency between declared registry fields and the bundled files.
Instruction Scope
SKILL.md and scripts instruct the agent/user to provide the Nostr private key (nsec1...) and even suggests 'Tell your bot: "Here's my RUNSTR nsec: nsec1..."' — i.e., paste the secret into chat, which is risky. The SKILL.md repeatedly claims the key is passed via stdin to avoid process-list leaks, but several code paths contradict this: analyze.py and analyze_light.py call nak with the nsec as a CLI argument, and daily_update.sh passes --nsec "$NSEC" to the Python script. Those will expose the secret to process listings and any process collectors on the system. The skill reads/writes only local cache (~/.cache/runstr-analytics) and communicates only with listed Nostr relays; there are no hidden external endpoints, but the mixed secret-handling behavior is problematic.
Install Mechanism
The install spec uses 'go' to install github.com/fiatjaf/nak and pip to install Python analytics libraries. Installing nak from that Go package is consistent with needing the 'nak' CLI; pip packages are expected for pandas/numpy/scipy/requests. These are standard registries; no downloads from untrusted personal servers or URL shorteners are used.
Credentials
The only secret the skill needs is a Nostr private key (RUNSTR_NSEC), which is proportionate to decrypting the user's RUNSTR backup. However: (1) the registry summary indicated no required env vars but the skill files and _meta.json require RUNSTR_NSEC — an incoherence. (2) The SKILL.md explicitly encourages pasting the private key into bot conversation (high-risk). (3) The recommended automation (cron) expects RUNSTR_NSEC in the environment and the provided daily_update.sh passes it as a command-line argument when invoking Python, exposing it to process lists. These behaviors increase the likelihood of accidental leakage of the private key.
Persistence & Privilege
always:false (not forced) and autonomous invocation is allowed (default). The skill optionally sets up a cron job and writes a local cache under ~/.cache/runstr-analytics; both are within the expected scope for this functionality. The cron setup is interactive and opt-in (setup_cron.sh prompts for confirmation). There is no evidence the skill modifies other skills or system-wide agent settings. Consider that if you add the cron job you are granting the skill ongoing scheduled execution on your machine.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install runstr-analytics - 安装完成后,直接呼叫该 Skill 的名称或使用
/runstr-analytics触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Version 1.0.1 – Security improvements for private key handling and local data protection
- Requires RUNSTR_NSEC to be set as an environment variable for all usage.
- Nostr private key (nsec) is now handled exclusively via stdin for enhanced security—never exposed on command line or process lists.
- Local cache and database files are created with strict permissions (0700/0600) to improve data privacy.
- Expanded "Security Considerations" and installation recommendations in documentation.
- No file or code changes detected; changelog reflects documentation and operational requirements only.
v1.0.0
runstr-analytics 1.0.0 – first release
- Provides advanced analytics on RUNSTR fitness data, including trend analysis, performance tracking, and training recommendations.
- Supports correlation insights (mood, habits, sleep vs performance) and generates personalized coaching tips.
- Offers multiple analysis scripts (basic, extended, full) with local caching for fast re-analysis.
- Integrates with structured training plans and supports visual reports (ASCII charts, sparklines).
- Designed for privacy—data is processed locally; no Nostr key is stored.
- Includes CLI tools for automation, personal record tracking, and customizable reporting.
元数据
常见问题
Runstr analytics 是什么?
Advanced RUNSTR fitness analytics with trend analysis, performance insights, training recommendations, and correlation tracking. Analyzes workout history, ha... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 274 次。
如何安装 Runstr analytics?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install runstr-analytics」即可一键安装,无需额外配置。
Runstr analytics 是免费的吗?
是的,Runstr analytics 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Runstr analytics 支持哪些平台?
Runstr analytics 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Runstr analytics?
由 Katla(@katla50)开发并维护,当前版本 v1.0.1。
推荐 Skills