endurance-coach

SUSPICIOUS. The skill’s coaching purpose is plausible and most local data access is proportionate, but its execution trust and data-flow integrity are underdocumented. The main concerns are unpinned `npx @latest` execution for core commands and ambiguous Strava auth/sync implementation, which could route tokens or athlete data through unidentified third-party code. No confirmed malware or overt exfiltration is shown, but the trust chain is too unclear to treat as benign.