Personal Fitbit integration for daily health tracking with adaptive sleep and activity reporting
Security Analysis
high confidenceThe skill's code, instructions, and required environment variables are consistent with a local Fitbit OAuth integration and do what the description says; nothing in the bundle indicates unexplained access or hidden exfiltration.
Name/description (Fitbit integration) match the included scripts and docs. Required binaries (python3), required env vars (FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_REDIRECT_URI, optional FITBIT_TZ) are appropriate for OAuth-based Fitbit API access.
SKILL.md instructs the agent to run the included scripts (oauth login, fetch, normalize, render). Those scripts only access Fitbit endpoints (api.fitbit.com), local token files, and local temp files; they do not reference unrelated system files, other credentials, or external endpoints beyond Fitbit.
No install spec; this is an instruction-only skill with bundled Python scripts that rely on the standard library only. Nothing is downloaded from third-party URLs or installed silently.
Declared environment variables are exactly the OAuth client ID/secret/redirect URI and an optional timezone; these are necessary and proportionate. The scripts only read these vars (and optionally FITBIT_SCOPES and FITBIT_TOKEN_PATH) as expected.
always is false and the skill does not request persistent platform privileges. It stores tokens to a local path (~/.config/openclaw/fitbit/token.json by default) which is normal for an OAuth client; it does not modify other skills or global agent settings.
Guidance
This skill appears to do what it says: a local Fitbit OAuth client and renderer. Before installing, ensure you: (1) create a Fitbit developer app and keep the Client Secret private; (2) set FITBIT_REDIRECT_URI to a safe local URL (loopback) or your chosen redirect endpoint; (3) understand tokens will be stored on disk by default at ~/.config/openclaw/fitbit/token.json (you can override with FITBIT_TOKEN_PATH); (4) review scopes (activity, sleep, heartrate, profile, weight) and only grant what you are comfortable sharing; and (5) be aware the scripts will make network calls to api.fitbit.com and respect Fitbit rate limits. If you need higher assurance, inspect the token file after authentication and verify file permissions (save_token attempts 0o600).
Latest Release
v0.2.2
v0.2.2 - Skill invocation fix, sleep field correction, date resolution ### Bug Fixes - SKILL.md frontmatter: Added missing triggers for auto-activation on sleep/fitness queries - Timezone default: Was hardcoded to UTC instead of respecting FITBIT_TZ env var. Fixed. - Sleep field name mismatch: duration_minutes vs minutesAsleep corrected - Schema docs updated to reflect correct duration_minutes field name ### Documentation - 3-step pipeline documented (fetch → normalize → render) - Date rule: Use --date today for morning sleep queries (Fitbit returns last night's sleep under today's date) - Duration warning: Never use raw API duration field directly (includes wake time); always use normalized duration_minutes
More by @crabsticksalad
Published by @crabsticksalad on ClawHub
