Skip to main content

wahoo-cloud

Accesses Wahoo Fitness Cloud API to fetch and analyze workout data, parsing metrics into a local SQLite database for insights.

Install this skill

or
34/100

Security score

The wahoo-cloud skill was audited on May 14, 2026 and we found 22 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 89

Template literal with variable interpolation in command context

SourceSKILL.md
89```bash
medium line 98

Template literal with variable interpolation in command context

SourceSKILL.md
98```bash
medium line 115

Template literal with variable interpolation in command context

SourceSKILL.md
115```bash
medium line 130

Template literal with variable interpolation in command context

SourceSKILL.md
130```bash
medium line 131

Curl to non-GitHub URL

SourceSKILL.md
131curl -s -X POST https://api.wahooligan.com/oauth/token \
medium line 21

Access to hidden dotfiles in home directory

SourceSKILL.md
21| "Show recent rides" / "Last week's training" | Query `~/.openclaw/workspace/training/wahoo.db` (or `$WAHOO_TRAINING_DIR/wahoo.db`) — schema below |
medium line 30

Access to hidden dotfiles in home directory

SourceSKILL.md
30**Credential auto-loading:** if `WAHOO_CLIENT_ID` / `WAHOO_CLIENT_SECRET` aren't in the calling shell, `wahoo_auth.py` automatically reads them from `~/.openclaw/secrets/wahoo.env` (override path with
medium line 44

Access to hidden dotfiles in home directory

SourceSKILL.md
44Add to `~/.clawdbot/clawdbot.json`:
medium line 75

Access to hidden dotfiles in home directory

SourceSKILL.md
75The script prints an authorization URL. Open it in a browser, log in with your Wahoo account, approve. You'll be redirected to your callback URL with `?code=...` in the query string (the page itself w
low line 80

Access to hidden dotfiles in home directory

SourceSKILL.md
80python3 ~/.openclaw/workspace/training/fetch_wahoo.py
medium line 83

Access to hidden dotfiles in home directory

SourceSKILL.md
83This pulls the workout list, fetches detail (and FIT URL) for each new workout, downloads FIT files into `~/.openclaw/workspace/training/wahoo_fit/`, parses them, and upserts records into `~/.openclaw
medium line 30

Access to .env file

SourceSKILL.md
30**Credential auto-loading:** if `WAHOO_CLIENT_ID` / `WAHOO_CLIENT_SECRET` aren't in the calling shell, `wahoo_auth.py` automatically reads them from `~/.openclaw/secrets/wahoo.env` (override path with
low line 4

External URL reference

SourceSKILL.md
4homepage: https://cloud-api.wahooligan.com/
low line 12

External URL reference

SourceSKILL.md
12API base: `https://api.wahooligan.com`. Workout endpoints live under `/v1/workouts`. OAuth2 with the `offline_data` scope yields a long-lived refresh token; access tokens expire after ~2 hours and the
low line 36

External URL reference

SourceSKILL.md
361. Go to https://developers.wahooligan.com
low line 38

External URL reference

SourceSKILL.md
383. Set callback URL (e.g. `https://localhost:8080/` — the manual-paste OAuth helper works with any registered callback)
low line 54

External URL reference

SourceSKILL.md
54"WAHOO_REDIRECT_URI": "https://localhost:8080/"
low line 66

External URL reference

SourceSKILL.md
66export WAHOO_REDIRECT_URI="https://localhost:8080/"
low line 91

External URL reference

SourceSKILL.md
91"https://api.wahooligan.com/v1/workouts?page=1&per_page=30"
low line 100

External URL reference

SourceSKILL.md
100"https://api.wahooligan.com/v1/workouts/WORKOUT_ID"
low line 117

External URL reference

SourceSKILL.md
117"https://api.wahooligan.com/v1/user"
low line 131

External URL reference

SourceSKILL.md
131curl -s -X POST https://api.wahooligan.com/oauth/token \
Scanned on May 14, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.0K
Rate this skill
Categorydata analytics
UpdatedMay 20, 2026
openclawapidatabasedata-analystml-ai-engineergrowth-marketersqlitedata analyticsdevelopmentmarketing
LeoYeAI/openclaw-master-skills