← 返回 Skills 市场
Strava
作者
Bohdan Podvirnyi
· GitHub ↗
· v1.0.0
2747
总下载
9
收藏
11
当前安装
1
版本数
在 OpenClaw 中安装
/install strava
功能描述
Load and analyze Strava activities, stats, and workouts using the Strava API
安全使用建议
This skill appears to do what it says (call the Strava API and refresh tokens) but there are metadata inconsistencies and sensitive credential handling to consider before installing:
- Metadata mismatch: the registry claims no required env vars but the SKILL.md and included script clearly need STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. Ask the publisher to correct the manifest so required permissions are explicit.
- Secrets handling: the README/SKILL.md suggests storing tokens in ~/.clawdbot/clawdbot.json (plaintext). The included refresh_token.sh prints new tokens to stdout rather than securely storing them. Prefer setting secrets via environment variables or a secure secrets store; if you must use the config file, restrict its filesystem permissions (chmod 600).
- Review the script before running: the refresh script is short and readable, but you should inspect it locally to confirm it only calls Strava and does not send data elsewhere.
- Trust and provenance: the source is listed as unknown. Only provide your Strava client secret and refresh token to skills from publishers you trust. If you have doubts, create a Strava app with limited scope or a throwaway account for testing.
If the publisher updates the registry metadata to accurately list required env vars and documents secure handling of tokens (or implements a safe automatic config update mechanism), the concerns would be reduced.
功能分析
Type: OpenClaw Skill
Name: strava
Version: 1.0.0
The skill bundle is benign. It provides a legitimate integration with the Strava API, requiring standard OAuth credentials (STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID, STRAVA_CLIENT_SECRET) for its stated purpose. All `curl` commands in SKILL.md and scripts/refresh_token.sh are directed at official Strava API endpoints. There is no evidence of data exfiltration beyond necessary API interaction, malicious execution (e.g., `curl|bash` from external sources), persistence mechanisms, obfuscation, or prompt injection attempts against the agent.
能力评估
Purpose & Capability
The skill's name/description (Strava API access) matches what the files do: curl calls to Strava endpoints and a token-refresh helper. However, the registry metadata claims no required environment variables while SKILL.md (and the refresh script) require STRAVA_ACCESS_TOKEN, STRAVA_REFRESH_TOKEN, STRAVA_CLIENT_ID and STRAVA_CLIENT_SECRET. The mismatch between declared registry requirements and actual runtime needs is an inconsistency to resolve.
Instruction Scope
Runtime instructions stay within the Strava API domain: they show how to call GET endpoints, how to refresh tokens, and how to store credentials in ~/.clawdbot/clawdbot.json or environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to non-Strava endpoints. Note: they do instruct storing sensitive tokens in a local config file (or printing them), which is a sensitive operation.
Install Mechanism
There is no remote install step or downloaded code; this is instruction-only plus a small included script. That keeps the install risk low — nothing is fetched from arbitrary URLs or installed to system paths.
Credentials
The credentials requested by the SKILL.md and the refresh_token.sh (access token, refresh token, client id, client secret) are appropriate for a Strava integration, but the skill manifest/registry metadata does not declare them. Also SKILL.md metadata marks only STRAVA_ACCESS_TOKEN as primaryEnv while the script requires additional secrets. The skill suggests writing secrets to ~/.clawdbot/clawdbot.json (plaintext config) and the refresh script prints new tokens to stdout — both are sensitive practices and should be considered before use.
Persistence & Privilege
The skill is not always:true and does not request system-level persistence beyond advising adding secrets to the Clawdbot config or environment variables. Autonomous invocation is allowed by default (not a unique privilege). The skill does not try to modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install strava - 安装完成后,直接呼叫该 Skill 的名称或使用
/strava触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Load and analyze Strava activities, stats, and workouts. Features OAuth token management, activity filtering, athlete stats, and rate limit handling.
元数据
常见问题
Strava 是什么?
Load and analyze Strava activities, stats, and workouts using the Strava API. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2747 次。
如何安装 Strava?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install strava」即可一键安装,无需额外配置。
Strava 是免费的吗?
是的,Strava 完全免费(开源免费),可自由下载、安装和使用。
Strava 支持哪些平台?
Strava 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Strava?
由 Bohdan Podvirnyi(@bohdanpodvirnyi)开发并维护,当前版本 v1.0.0。
推荐 Skills