Is brainsoft-raxat/stravacli safe?

https://github.com/openclaw/skills/tree/main/skills/brainsoft-raxat/stravacli

88
SAFE

The brainsoft-raxat/stravacli skill is a clean, documentation-only skill with no embedded code, install hooks, git hooks, submodules, or prompt injection patterns. Installation was confined to a GitHub sparse checkout producing exactly two text files, and canary file access events were confirmed as monitoring framework baseline reads rather than skill behavior. The primary residual concerns are the unaudited external stravacli binary dependency (which cannot be evaluated through skill-level analysis) and the skill's provision of access to GPS stream data and route exports, which constitute sensitive location PII that could be exploited if the agent context is compromised or combined with a data-exfiltrating skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM GPS Stream and Route Data Exposes Sensitive Location PII -15

The skill instructs the agent to retrieve raw GPS coordinate streams and export route files in GPX format. These datasets reveal precise patterns of daily movement including likely home address, workplace, and recurring locations. If the agent session is logged, the data is sent to another skill, or the agent is operating in a compromised context, this constitutes a significant location privacy leak for the Strava account holder.

LOW Unaudited External Binary Dependency Creates Unverifiable Attack Surface -7

The entire skill depends on the stravacli binary which must be independently installed. This binary is not shipped with the skill, is not versioned or hash-pinned in SKILL.md, and cannot be audited through skill-level analysis. A malicious or compromised stravacli binary could silently exfiltrate stored OAuth tokens, intercept credentials during the auth flow, or read and transmit activity data without any indication in the skill's text.

LOW OAuth Token Stored Locally by Auth Flow -5

The skill instructs the agent to execute stravacli auth login, which stores a Strava OAuth token on the local filesystem. This token grants ongoing read access to the full activity history and limited write access. Token security depends entirely on the external binary's implementation, local filesystem permissions, and whether any other process on the system can read the token store.

INFO Canary File Access Events Attributed to Monitoring Framework, Not Skill 0

Filesystem and auditd logs record opens of six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) at audit timestamp 1771928681. Cross-referencing with the process execution log confirms the skill installation git clone does not begin until audit timestamp 1771928686 (event 495). A second batch of identical canary reads occurs at 1771928704, post-install. Both access clusters are consistent with the monitoring framework establishing pre- and post-install baselines. Canary integrity confirms no content was exfiltrated.

INFO Install Confined to GitHub Sparse Checkout of Two Text Files 0

The installation process performed a depth-1 sparse clone of the openclaw/skills monorepo targeting only the skills/brainsoft-raxat/stravacli subpath. This resulted in exactly two files being written to the skill directory. No network connections to non-GitHub endpoints were initiated during the install window.

INFO SKILL.md Contains No Injection or Manipulation Patterns 0

The full text of SKILL.md was reviewed for prompt injection vectors including instruction overrides, persona manipulation, hidden unicode, base64 payloads, external fetch requests, and markdown tricks. None were found. The skill contains only legitimate CLI command documentation. Write commands are explicitly gated with a confirmation requirement.