What data can Fulcra Context access?

Biometrics, sleep, activity, location, and calendar data, accessed only with per-user consent and read-only permissions.

How is user privacy protected?

OAuth2 per user keeps data under the human's control; data is not shared publicly, and consent can be revoked at any time.

How do tokens stay fresh?

Use the included token lifecycle tools (fulcra_auth.py) to refresh tokens automatically; tokens typically expire in ~24 hours and can be refreshed without user interaction.

Fulcra Context

Flagged

@arc-claw-bot

{"isSafe":false,"isSuspicious":true,"riskLevel":"high","findings":[{"category":"shell_command","severity":"high","description":"Remote code execution risk: The MCP integration uses npm's npx to run a remote script (mcp-remote) from a URL (https://mcp.fulcradynamics.com/mcp). This could execute arbitrary code on the user's machine.","evidence":"{\n \"mcpServers\": {\n \"fulcra_context\": {\n \"command\": \"npx\",\n \"args\": [\"-y\", \"mcp-remote\", \"https://mcp.fulcradynamics.com/mcp\"]\n }\n }\n}"},{"category":"data_exfiltration","severity":"high","description":"Handling and persistence of OAuth2 tokens: The skill saves access/refresh tokens to disk (~/.config/fulcra/token.json) and exposes an API to print/export the access token, increasing the risk of token leakage if the host is compromised.","evidence":"Save the token for automation:\n```python\ntoken_data = {\n \"access_token\": api.fulcra_cached_access_token,\n \"expiration\": api.fulcra_cached_access_token_expiration.isoformat(),\n \"user_id\": api.get_fulcra_userid()\n}\nwith open(\"~/.config/fulcra/token.json\", \"w\") as f:\n json.dump(token_data, f)\n```\n\nToken lifecycle commands:\n```bash\nexport FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)\n```\n\nSetup examples show interactive authorize and token retrieval:\n```bash\npython3 scripts/fulcra_auth.py authorize\n```\n"}],"summary":"The skill defines legitimate data-access capabilities for Fulcra context (biometrics, sleep, calendar, location) and uses standard commands for API access. However, two genuinely risky patterns are present: (1) remote code execution via npx to a remote MCP script, which could run arbitrary code on the user’s machine, and (2) handling of OAuth2 tokens (stored on disk and exposed via environment/output) that could be abused if the host is compromised. These should be mitigated (e.g., replace remote execution with a trusted local component, secure token storage, least-privilege access, and careful token handling)."}

npx machina-cli add skill @arc-claw-bot/fulcra-context --openclaw

Files (1)

SKILL.md

7.8 KB

Fulcra Context — Personal Data for AI Partners

Give your agent situational awareness. With your human's consent, access their biometrics, sleep, activity, location, and calendar data from the Fulcra Life API.

What This Enables

With Fulcra Context, you can:

Know how your human slept → adjust morning briefing intensity
See heart rate / HRV trends → detect stress, suggest breaks
Check location → context-aware suggestions (home vs. office vs. traveling)
Read calendar → proactive meeting prep, schedule awareness
Track workouts → recovery-aware task scheduling

Privacy Model

OAuth2 per-user — your human controls exactly what data you see
Their data stays theirs — Fulcra stores it, you get read access only
Consent is revocable — they can disconnect anytime
NEVER share your human's Fulcra data publicly without explicit permission

Setup

Option 1: MCP Server (Recommended)

Use Fulcra's hosted MCP server at https://mcp.fulcradynamics.com/mcp (Streamable HTTP transport, OAuth2 auth).

Your human needs a Fulcra account (free via the Context iOS app or Portal).

Claude Desktop config (claude_desktop_config.json):

{
  "mcpServers": {
    "fulcra_context": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.fulcradynamics.com/mcp"]
    }
  }
}

Or run locally via uvx:

{
  "mcpServers": {
    "fulcra_context": {
      "command": "uvx",
      "args": ["fulcra-context-mcp@latest"]
    }
  }
}

Also tested with: Goose, Windsurf, VS Code. Open source: github.com/fulcradynamics/fulcra-context-mcp

Option 2: Direct API Access

Your human creates a Fulcra account
They generate an access token via the Python client or Portal
Store the token: skills.entries.fulcra-context.apiKey in openclaw.json

Option 3: Python Client (Tested & Proven)

pip3 install fulcra-api

from fulcra_api.core import FulcraAPI

api = FulcraAPI()
api.authorize()  # Opens device flow — human visits URL and logs in

# Now you have access:
sleep = api.metric_samples(start, end, "SleepStage")
hr = api.metric_samples(start, end, "HeartRate")
events = api.calendar_events(start, end)
catalog = api.metrics_catalog()

Save the token for automation:

import json
token_data = {
    "access_token": api.fulcra_cached_access_token,
    "expiration": api.fulcra_cached_access_token_expiration.isoformat(),
    "user_id": api.get_fulcra_userid()
}
with open("~/.config/fulcra/token.json", "w") as f:
    json.dump(token_data, f)

Token expires in ~24h. Use the built-in token manager for automatic refresh (see below).

Token Lifecycle Management

The skill includes scripts/fulcra_auth.py which handles the full OAuth2 lifecycle — including refresh tokens so your human only authorizes once.

# First-time setup (interactive — human approves via browser)
python3 scripts/fulcra_auth.py authorize

# Refresh token before expiry (automatic, no human needed)
python3 scripts/fulcra_auth.py refresh

# Check token status
python3 scripts/fulcra_auth.py status

# Get current access token (auto-refreshes if needed, for piping)
export FULCRA_ACCESS_TOKEN=$(python3 scripts/fulcra_auth.py token)

How it works:

authorize runs the Auth0 device flow and saves both the access token AND refresh token
refresh uses the saved refresh token to get a new access token — no human interaction
token prints the access token (auto-refreshing if expired) — perfect for cron jobs and scripts

Set up a cron job to keep the token fresh:

For OpenClaw agents, add a cron job that refreshes the token every 12 hours:

python3 /path/to/skills/fulcra-context/scripts/fulcra_auth.py refresh

Token data is stored at ~/.config/fulcra/token.json (permissions restricted to owner).

Quick Commands

Check sleep (last night)

# Get time series for sleep stages (last 24h)
curl -s "https://api.fulcradynamics.com/data/v0/time_series_grouped?metrics=SleepStage&start=$(date -u -v-24H +%Y-%m-%dT%H:%M:%SZ)&end=$(date -u +%Y-%m-%dT%H:%M:%SZ)&samprate=300" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Check heart rate (recent)

curl -s "https://api.fulcradynamics.com/data/v0/time_series_grouped?metrics=HeartRate&start=$(date -u -v-2H +%Y-%m-%dT%H:%M:%SZ)&end=$(date -u +%Y-%m-%dT%H:%M:%SZ)&samprate=60" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Check today's calendar

curl -s "https://api.fulcradynamics.com/data/v0/{fulcra_userid}/calendar_events?start=$(date -u +%Y-%m-%dT00:00:00Z)&end=$(date -u +%Y-%m-%dT23:59:59Z)" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Available metrics

curl -s "https://api.fulcradynamics.com/data/v0/metrics_catalog" \
  -H "Authorization: Bearer $FULCRA_ACCESS_TOKEN"

Key Metrics

Metric	What It Tells You
SleepStage	Sleep quality — REM, Deep, Light, Awake
HeartRate	Current stress/activity level
HRV	Recovery and autonomic nervous system state
StepCount	Activity level throughout the day
ActiveCaloriesBurned	Exercise intensity
RespiratoryRate	Baseline health indicator
BloodOxygen	Wellness check

Integration Patterns

Morning Briefing

Check sleep + calendar + weather → compose a briefing calibrated to energy level.

Stress-Aware Communication

Monitor HRV + heart rate → if elevated, keep messages brief and non-urgent.

Proactive Recovery

After intense workout or poor sleep → suggest lighter schedule, remind about hydration.

Travel Awareness

Location changes → adjust timezone handling, suggest local info, modify schedule expectations.

Demo Mode

For public demos (VC pitches, livestreams, conferences), enable demo mode to swap in synthetic calendar and location data while keeping real biometrics.

Activation

# Environment variable (recommended for persistent config)
export FULCRA_DEMO_MODE=true

# Or pass --demo flag to collect_briefing_data.py
python3 collect_briefing_data.py --demo

What changes in demo mode

Data Type	Demo Mode	Normal Mode
Sleep, HR, HRV, Steps	✅ Real data	✅ Real data
Calendar events	🔄 Synthetic (rotating schedules)	✅ Real data
Location	🔄 Synthetic (curated NYC spots)	✅ Real data
Weather	✅ Real data	✅ Real data

Transparency

Output JSON includes "demo_mode": true at the top level
Calendar and location objects include "demo_mode": true
When presenting to humans, include a subtle "📍 Demo mode" indicator

What's safe to share publicly

✅ Biometric trends, sleep quality, step counts, HRV — cleared for public
✅ Synthetic calendar and location (demo mode) — designed for public display
❌ NEVER share real location, real calendar events, or identifying data

Overview

Fulcra Context lets your agent fetch a human’s biometrics, sleep, activity, location, and calendar data from the Fulcra Life API through the MCP server or direct API access. It requires per-user OAuth2 consent and keeps the data in the human’s control, with read-only access for the agent.

How This Skill Works

The skill uses per-user OAuth2 authorization to grant read-only access to Fulcra data. You can connect via the MCP server (recommended) at https://mcp.fulcradynamics.com/mcp or use direct API access with a stored access token. Token management is supported via a Python-based workflow that handles device-flow authorization and automatic refresh.

When to Use It

Prepare context-aware morning briefings based on last night's sleep and HRV.
Provide location-aware suggestions (home, office, travel) and calendar-informed prep.
Proactively review upcoming meetings with calendar data for on-time briefing.
Schedule tasks and rest periods around workout data and recovery signals.
Operate under strict privacy controls with per-user consent and read-only data access.

Quick Start

Step 1: Choose setup: use MCP Server (recommended) or Direct API access, and configure the appropriate credentials or token handling.
Step 2: Authorize: run the device-flow based authorization (e.g., python3 scripts/fulcra_auth.py authorize) and save the tokens, or generate an access token via the portal/python client.
Step 3: Query data: fetch metrics (Sleep, HeartRate), calendar events, and location data via the Fulcra API and use the results to power context-aware actions.

Best Practices

Always obtain per-user OAuth2 consent and explicitly limit the agent to read-only data.
Prefer the MCP server setup for reliable transport and easy token management.
Store access tokens securely (e.g., encrypted config) and rotate tokens before expiry.
Test data queries with small time ranges (e.g., last 24 hours) before full-scale use.
Regularly run token refresh (fulcra_auth.py refresh) to avoid expired tokens during automation.

Example Use Cases

A personal assistant adjusts morning briefing length based on SleepStage and HRV trends.
A health coach schedules tasks after detecting a lull in energy from recent activity data.
A travel assistant uses current location to tailor context, traffic, and meeting prep.
An executive assistant preloads calendar events for the day to enable proactive notes.
A privacy-first bot only accesses data after the user explicitly authorizes and can disconnect anytime.

Frequently Asked Questions

Add this skill to your agents