Fitbit

The SKILL.md clearly intends to query Fitbit data via a 'fitbit-cli' binary which is coherent with the stated purpose. However, the registry metadata at the top lists no required binaries or credentials while the SKILL.md front-matter declares requires: bins: ['fitbit-cli']. That mismatch (and the lack of any declared OAuth/client credentials) is unexplained.

Runtime instructions are narrowly scoped to running fitbit-cli commands (read-only queries and an '--init-auth' flow). The instructions do not tell the agent to read unrelated files or send data to unexpected endpoints, but they omit details on how authentication works and where tokens/config are stored.

There is no install spec and no source for the 'fitbit-cli' binary. If the binary is required, the skill should document where to obtain a trusted release. Absence of provenance increases risk because a user/agent might install an untrusted binary.

The skill declares no required environment variables or primary credential, yet accessing Fitbit data normally requires OAuth tokens or API credentials. The SKILL.md mentions 'tokens auto-refresh' and '--init-auth' but does not declare what environment variables or config paths will be used, which is disproportionate and leaves unclear where sensitive tokens live.

The skill is not always-enabled and does not request elevated platform privileges. It likely will cause the CLI to store tokens locally (auto-refresh), which is expected behavior but should be documented (storage location, file permissions, token lifetime).