Access your human's personal context data (biometrics, sleep, activity, calendar, location) via the Fulcra Life API and MCP server. Requires human's Fulcra account + OAuth2 consent.
Security Analysis
medium confidenceThe skill's purpose, token use, and included auth script line up with accessing Fulcra personal data, but there are modest inconsistencies between the declared requirements and the runtime instructions (and an operational risk from long-lived refresh tokens and token handling) that you should understand before installing.
The skill's name/description (access Fulcra personal data) matches what it requests (FULCRA_ACCESS_TOKEN) and the included code calls the Fulcra API. However, the registry metadata only declares 'curl' as a required binary while SKILL.md and the included script expect python3/pip (and use of npx/uvx for MCP server integration). That mismatch is an implementation oversight that could surprise users but is not by itself malicious.
SKILL.md stays on-topic: it describes obtaining an OAuth2 token, storing it locally, using it in API calls to api.fulcradynamics.com, and running the provided fulcra_auth.py for device flow and refresh. It does instruct storing tokens to ~/.config/fulcra/token.json and printing tokens into the environment for piping (export FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)). Those behaviors are expected for this purpose but raise operational risk: the token-printing/cron-refresh pattern increases the chances of accidental token exposure if logs, backups, or shared shells capture the token. The skill does not instruct reading unrelated system files or sending data to domains other than the Fulcra endpoints and the Auth0 domain.
There is no install spec (instruction-only) and the repository includes the Python script locally, so nothing unknown is automatically downloaded by the skill itself. SKILL.md references pip install fulcra-api and using npx/uvx to run an MCP server; those commands can pull network code at install/run-time if the user follows them. That is a normal developer flow but the user should be aware that npx/uvx will fetch remote packages when invoked.
Only a single primary credential is declared (FULCRA_ACCESS_TOKEN), which is appropriate for the stated purpose. The included code stores both access and refresh tokens locally to support silent refresh; that is proportionate for an OAuth2 client but increases the persistence of access (refresh tokens allow long-lived access) and thus should be considered a sensitive secret.
The skill does not request always:true or system-wide privileges. It writes token state to its own config path (~/.config/fulcra/token.json) and does not modify other skills' configs. The autonomous invocation default is allowed but not combined with elevated privileges here.
Guidance
This skill appears to do what it says (connect to Fulcra and read personal metrics), but before installing you should: 1) Verify you trust the Fulcra project and the referenced GitHub/MCP endpoints; 2) Confirm you have Python3 and pip if you plan to use the included script (the registry only listed 'curl' which is incomplete); 3) Understand that the included script stores a refresh_token locally (~/.config/fulcra/token.json) and can refresh access without a human — treat that file as highly sensitive and ensure file permissions and backups are protected; 4) Avoid placing token output into logs or shared shells (the helper can print the token for piping — this is convenient but risky); 5) If you deploy a cron job to auto-refresh, ensure the cron environment can't leak the token to other users or uploads; 6) Prefer least-privilege (only request the metrics you need) and be ready to revoke the refresh token from your Fulcra account if you suspect compromise. If you need higher assurance, ask the maintainer for a formal provenance link (official repository release/tag) and a reproducible install spec that lists all required binaries.
Latest Release
v1.2.0
Token lifecycle management with refresh tokens via scripts/fulcra_auth.py. Humans authorize once — refresh tokens handle automatic re-auth. Includes status/token commands for cron-friendly usage.
Popular Skills
Published by @arc-claw-bot on ClawHub
