Compose a personalized morning briefing using sleep, biometrics, calendar, and weather data from the Fulcra Life API. Adapts tone and detail to how your human actually slept.
Security Analysis
high confidenceThe skill is internally consistent with its stated purpose (pulling Fulcra biometric/calendar data and composing a morning briefing); nothing in the code or instructions appears malicious, though there are small mismatches and privacy trade-offs to consider.
The skill's name/description (morning briefing from Fulcra data) matches the included code and instructions: it requires python3 and the fulcra-api client, performs OAuth device flow, reads sleep/HR/HRV/calendar data, and fetches weather via wttr.in. Minor inconsistency: registry metadata lists a primaryEnv of FULCRA_ACCESS_TOKEN but the provided scripts use a saved token file (~/.config/fulcra/token.json) and do not read a FULCRA_ACCESS_TOKEN environment variable.
SKILL.md and the scripts stick to the declared purpose: instructing the user to install fulcra-api, run an interactive OAuth device flow, save a token, then collect metric samples and calendar events and call wttr.in for weather. The runtime instructions do create/read a local token file and run curl for weather, which are expected for this use case. There are no instructions to read unrelated system files or to transmit data to unknown endpoints beyond Fulcra API and wttr.in.
No risky installers or arbitrary downloads: the skill relies on pip to install the fulcra-api package (standard pattern) and uses no extract/download URLs. There is no install spec in the registry beyond instructions to run pip; that's proportionate.
The skill requests access to Fulcra data only (biometrics, calendar). That is proportionate for its purpose. Two small issues: (1) registry metadata declares FULCRA_ACCESS_TOKEN as the primary credential but the scripts implement device-flow and store a token file instead (they do not read FULCRA_ACCESS_TOKEN), which is an inconsistency the integrator should clarify; (2) the skill stores an OAuth access token locally (~/.config/fulcra/token.json), which grants whoever can read that file access to the user's Fulcra data for the token lifetime (~24h).
The skill writes a token into the user's home config directory (~/.config/fulcra/token.json) so it can reuse the access token. This is normal for a client using OAuth device flow, but it is persistent sensitive state. The skill does not request global 'always' inclusion or modify other skills; agent autonomous invocation is allowed by default (not flagged alone) — combined with the stored token, that means the agent could reuse the token if invoked later.
Guidance
This skill appears to do what it says: it uses the Fulcra API and wttr.in to build a sleep- and biometrics-aware morning briefing. Before installing, consider: (1) Privacy — the skill accesses sensitive biometric and calendar data. The OAuth token is saved to ~/.config/fulcra/token.json and is valid for ~24 hours; protect that file and avoid running on shared machines. (2) Credential mismatch — the registry lists FULCRA_ACCESS_TOKEN as a primaryEnv but the scripts use an OAuth device flow and a token file; clarify whether you need to set an env var or just run the authorize script. (3) Package trust — the skill requires installing the third-party fulcra-api Python package; review its source (github link in README) if you have concerns. (4) Autonomous runs — agents may invoke the collector when allowed; if you want to limit automatic access, avoid granting this skill high-privilege/autonomous execution in your agent settings. If you accept those trade-offs, the skill is coherent for its stated purpose.
Latest Release
v1.0.0
Initial release: personalized morning briefings calibrated to sleep quality using Fulcra Life API biometrics, calendar, and weather data.
Popular Skills
Published by @arc-claw-bot on ClawHub
