Safety Report

Fitbit Health Skill

Name: Fitbit Health Skill
Rating: 5 (2 reviews)
Author: pb3975

Query Fitbit health data (activity, sleep, heart rate, weight) via CLI. Use when answering health/fitness questions that require Fitbit data, or when the user asks about their steps, sleep, heart rate, or weight from Fitbit.

1,450Downloads

0Installs

2Stars

1Versions

CLI & Shell Tools1,805 Database Management1,222 Design & Prototyping842 Healthcare460

Security Analysis

high confidence

Clean

This skill is internally consistent with its stated purpose: it is a Fitbit CLI that uses OAuth PKCE, stores tokens locally, and calls only Fitbit endpoints.

Feb 11, 202620 files

Purpose & Capabilityok

Name, description, SKILL.md, and code all align: the skill is a CLI for Fitbit data and explicitly requires a 'fitbit' binary. No unrelated services, env vars, or binaries are requested.

Instruction Scopeok

Runtime instructions are limited to registering a Fitbit app, running the CLI's configure/login commands, and reading/writing config and token files under ~/.config/fitbit-cli. The code only contacts Fitbit endpoints (api.fitbit.com and www.fitbit.com) and uses a local 127.0.0.1 callback for OAuth.

Install Mechanismok

There is no provided install spec in the registry (instruction-only). The included package.json shows normal npm build/dev tooling and standard dependencies; no downloads from arbitrary URLs or extract/install behavior are present.

Credentialsok

The skill does not request environment variables or external credentials. It uses a user-provided Fitbit Client ID (configured via the CLI) and OAuth tokens stored in the user's home directory—appropriate and proportional for the stated functionality.

Persistence & Privilegeok

The skill does not request always:true and is user-invocable. It stores tokens and config under ~/.config/fitbit-cli with file permissions set to 0600 and runs a local callback server bound to 127.0.0.1; these are standard for an OAuth CLI and do not indicate excessive privilege.

Guidance

This skill appears to do what it says: it performs OAuth (PKCE) with Fitbit, stores tokens locally (~/.config/fitbit-cli/tokens.json, chmod 600), and only calls Fitbit endpoints. Before installing, confirm you obtain the 'fitbit' CLI from a trusted source (the repository/package listed), supply your own Fitbit Client ID via dev.fitbit.com, and review the token/config files if you want to audit stored credentials. If you later want to revoke access, run the CLI's logout or revoke the app from your Fitbit account. If you prefer not to allow autonomous agent invocation, ensure your agent's policy restricts or prompts before calling external skills.

Latest Release

v0.1.1

Initial release: OAuth PKCE auth, activity/profile/summary commands

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @pb3975 on ClawHub