Is bohdanpodvirnyi/strava safe?

https://github.com/openclaw/skills/tree/main/skills/bohdanpodvirnyi/strava

90
SAFE

The bohdanpodvirnyi/strava skill is a well-scoped, purpose-appropriate integration for the Strava fitness API. The SKILL.md contains no prompt injection patterns, no instructions to access local sensitive files, and the sole included shell script (refresh_token.sh) communicates exclusively with strava.com's OAuth endpoint using only standard unix utilities. Installation activity was limited to a GitHub sparse-checkout with no persistent connections established and all canary files confirmed intact. The primary concerns are low-severity: OAuth tokens are echoed to stdout during refresh (risk of credential exposure in logged agent environments) and the skill requires four sensitive OAuth environment variables to function.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Token refresh script outputs plaintext credentials to stdout -8

refresh_token.sh echoes the new STRAVA_ACCESS_TOKEN and STRAVA_REFRESH_TOKEN to stdout after a successful refresh. In agent environments where shell command output is captured, stored, or logged (e.g., conversation history, tool call logs, debug traces), these OAuth credentials would be exposed. An attacker who gains access to agent logs could harvest valid Strava tokens.

LOW Shell script with OAuth credentials executed at agent direction -10

The skill instructs agents to run a bash script that processes OAuth credentials via shell environment variables. While the script only communicates with strava.com, execution of shell scripts at agent direction expands the attack surface. Any future code injection into the skill's bash template (e.g., via a compromised SKILL.md update) would be executed with user privileges.

LOW {baseDir} template variable relies on framework path resolution -5

SKILL.md instructs 'bash {baseDir}/scripts/refresh_token.sh' where {baseDir} is a framework-resolved template. If the Clawdbot framework resolves this variable insecurely, or if an agent could be tricked into supplying a crafted base path, this could direct the agent to execute an unintended script. Risk is framework-dependent, not inherent to the skill.

INFO Canary file accesses traced to audit harness, not skill 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Timing analysis confirms the first batch (timestamp 1771738948.065, audit records 267-272) occurred before the git clone (1771738953) during audit setup, and the second batch (timestamp 1771738967.446, records 1441-1446) occurred after all skill file analysis during audit teardown. No skill file contains instructions to read these paths. Canary integrity check confirms all files unmodified.

INFO Sensitive personal fitness data handled in agent context -5

Strava activity data returned by the API includes GPS route data (implied by activity detail endpoints), heart rate, start timestamps, and elapsed times — sensitive personal health and location information. While the skill correctly scopes all data to the authenticated user's own account, agents executing these curl commands will have this data in their context window and tool call outputs, which may be retained in conversation history.