Is geodeterra/strava-cli safe?

https://github.com/openclaw/skills/tree/main/skills/geodeterra/strava-cli

87
SAFE

The geodeterra/strava-cli skill is clean documentation-only content with no prompt injection, hidden instructions, or malicious code. The primary risk is a supply chain concern: the skill instructs the agent to run an unpinned external Python package from PyPI via uvx, meaning a future compromise of the strava-client-cli package would result in code execution. Additionally, the skill's bulk export capability and predictable OAuth token storage path create data-exposure risk when combined with other skills that can read files or make HTTP requests.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Unpinned PyPI package execution via uvx -25

The skill directs the agent to execute uvx --from strava-client-cli strava which fetches and runs the latest version of the package from PyPI at invocation time. No version pin or checksum is specified. A future compromise of the strava-client-cli PyPI package would result in arbitrary code execution in the agent's environment.

LOW Bulk GPS/fitness data export to local filesystem -8

The documented strava export command writes the user's complete Strava activity history (GPS tracks, timing, heart rate) as JSON to a local directory. This is the intended feature but represents a high-value data aggregation point if a malicious co-resident skill can read and forward it.

LOW OAuth tokens stored at predictable filesystem path -10

Access tokens are persisted at ~/.config/strava-cli/tokens.json, enabling any process or co-resident skill with home-directory read access to authenticate as the user against the Strava API without further user interaction.

LOW OAuth credential flow normalized in agent instructions -8

The skill includes detailed instructions for credential entry, URL authorization, and code extraction from redirect URIs. While legitimate, this primes the agent to accept credential-handling tasks without skepticism. No actual injection payload was found.

INFO Clean install; all network traffic attributable to GitHub -5

The installation cloned only from github.com/openclaw/skills.git via HTTPS. No unexpected outbound connections, no process spawning beyond standard git operations, and no filesystem modifications outside the designated skill directory were observed.