Ai Coach

根据你的比赛目标和身体状态，智能生成并动态调整个性化每日铁人三项训练计划，支持TrainingPeaks和Garmin数据同步。

This skill mostly does what it claims (generate daily triathlon plans using TrainingPeaks and Garmin), but it requires you to provide sensitive credentials and stores them in plaintext. Key concerns to consider before installing: - Hardcoded API keys: send_daily_plan.py contains an embedded IMA client id and API key. If those are valid, the skill can post notes to IMA using that account; if they are leaked or revoked you should rotate them. Ideally the skill should read IMA credentials from your local config (as the SKILL.md suggests) rather than embedding keys. - Plaintext credentials and token files: the code saves Garmin and TP credentials/tokens to local files (data/credentials.json, ~/.trainingpeaks/cookie, ~/.garmin_tokens, /tmp/garmin_test_token). That increases risk if other users/processes can read your filesystem. Prefer to store secrets in secure OS key stores or limit file permissions; inspect and, if possible, run in an isolated environment. - Instructions ask you to extract a TrainingPeaks cookie using browser devtools — this is sensitive and error-prone. Consider using official OAuth flows or TrainingPeaks API tokens instead. - Code/document mismatches and bugs: SKILL.md references a tp_client.py that is not present; tp_sync.py references an undefined AI_COACH_DIR; multiple modules hardcode a Python path (~/.miniconda3/bin/python3) and reference other skill directories. These indicate the package may be unmaintained or partially copied and could fail or behave unexpectedly. - Mitigations: review the code locally before running; remove or replace hardcoded IMA keys; avoid storing passwords/cookies in plaintext (use environment variables or OS secret stores, and set restrictive file permissions); run the skill in a sandboxed account or container; rotate any credentials you upload to or generate for this skill; verify/replace the external TrainingPeaks/IMA integration with official OAuth if possible. If you are not comfortable with these issues, do not install or run the skill with your real Garmin/TrainingPeaks credentials. If you decide to proceed, audit and modify the code to eliminate hardcoded secrets and to secure credential storage first.

Type: OpenClaw Skill Name: triathlon-ai-coach Version: 3.2.0 The skill bundle handles highly sensitive credentials, including Garmin passwords and TrainingPeaks authentication cookies, storing them in local files (e.g., data/credentials.json) or environment variables. It also contains hardcoded API credentials for the IMA service in scripts/send_daily_plan.py and utilizes risky execution patterns like os.popen and subprocess.run in scripts/tp_sync.py and scripts/plan_engine.py. While these capabilities are aligned with the stated purpose of a triathlon coach, the insecure management of secrets and use of shell-calling functions represent significant security vulnerabilities.