ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vitavault

v1.3.0

VitaVault iOS app integration - sync Apple Health data directly to your AI agent. Auto-setup webhook, token generation, and HTTPS exposure. Works with any iP...

0· 669·0 current·0 all-time
byBrandon Stewart@brandons7
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Most files (webhook.py, import.py, summary.py, briefing.py) align with the stated purpose of receiving and processing Apple Health data locally. However, scripts/query.py is written as a client for a VitaVault cloud API and requires VITAVAULT_API_URL — this conflicts with the SKILL.md's repeated claim of a direct phone→agent flow with "No shared servers, no middleman." The presence of both a local webhook receiver and a cloud-API client is plausible (optional features), but the mismatch is unexplained in the documentation and registry metadata.
!
Instruction Scope
The SKILL.md instructs the agent to generate tokens, run a background webhook, expose that webhook publicly (Tailscale Funnel, cloudflared, ngrok, or reverse proxy), and create/enable a systemd service. These steps touch system-level configuration, require sudo in places, and create a publicly reachable HTTPS endpoint that will receive sensitive health data — all of which are consistent with a webhook receiver but are high-impact operations and should only be done with explicit user consent and careful setup.
Install Mechanism
There is no automated install spec (no downloads or arbitrary archives). The skill ships Python scripts and an instruction-only setup flow; nothing writes arbitrary third-party binaries to disk. This is lower risk than an automated remote download/install, though running the provided commands will create files and services locally.
!
Credentials
The registry metadata declares no required env vars, but the shipped code and SKILL.md use VITAVAULT_SYNC_TOKEN (for webhook auth) and query.py requires VITAVAULT_API_URL (and optionally VITAVAULT_SYNC_TOKEN). The VITAVAULT_SYNC_TOKEN is proportional to the webhook purpose, but the required VITAVAULT_API_URL for the cloud query is not justified by SKILL.md's 'no middleman' claim. There are no unrelated credentials requested, but the public exposure instructions increase the risk of accidental data exposure if auth or tunnel configuration is misused.
!
Persistence & Privilege
The guide recommends creating a systemd service and enabling it with sudo, which grants persistent, system-level presence and a network-exposed listener. The skill does not set always: true, but the suggested systemd install is a persistent privilege and should be treated as a deliberate, high-impact change requiring the user's explicit approval and careful configuration (paths, token, user account, firewall).
What to consider before installing
Before installing or running this skill, consider the following: 1) Health data is highly sensitive — exposing an HTTP(S) webhook to the public (even via tunnels) risks leakage if the sync token is misconfigured, leaked, or omitted. Ensure the VITAVAULT_SYNC_TOKEN is set, long, and stored securely. 2) The SKILL.md repeatedly promises "no middleman," but scripts/query.py requires a VITAVAULT_API_URL (a cloud API endpoint) — ask the developer what that cloud client is for and whether it will send or pull data from an external server. 3) The instructions create a systemd service and recommend sudo operations; only proceed if you trust the code and understand how to adjust file paths, service user, and firewall rules. 4) Prefer Tailscale Funnel or a private domain behind your own reverse proxy over public temporary tunnels for long-term use; temporary tunnels (ngrok, trycloudflare) are fine for short tests but not recommended for production health sync. 5) Review the shipped Python scripts yourself (or run them in an isolated VM/container) — the webhook code shown saves incoming payloads locally and does not call external endpoints, but the query client will contact whatever URL you set in VITAVAULT_API_URL. 6) If you accept the setup, perform an initial test with innocuous data, verify Authorization header enforcement, and restrict exposure (use firewall rules, Tailscale, or private domain). If you need more certainty, ask the skill author to explicitly document the cloud API behavior and to include a manifest of which components are optional (local webhook vs cloud client).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ax6xc3m3552g3y6ebsj6rbs8235vw
669downloads
0stars
5versions
Updated 6d ago
v1.3.0
MIT-0
Brandon Stewart@brandons7
latest
Download

VitaVault - Your Health, Decoded

Sync Apple Health data from VitaVault iOS app directly to your OpenClaw agent. No shared servers, no middleman - data flows phone to your agent only.

No Mac required. Install VitaVault from TestFlight (beta) or the App Store.

Agent Setup Guide (DO THIS WHEN USER SAYS "set up VitaVault")

When your user asks to set up VitaVault sync, follow these steps automatically. Don't ask the user to do the technical parts - handle it yourself and hand them the URL + token at the end.

Step 1: Generate a sync token

# Generate a secure random token
python3 -c "import secrets; print(secrets.token_hex(32))" > ~/.config/vitavault/sync-token
mkdir -p ~/.config/vitavault
TOKEN=$(cat ~/.config/vitavault/sync-token)
echo "Token: $TOKEN"

Step 2: Start the webhook

VITAVAULT_SYNC_TOKEN="$TOKEN" nohup python3 scripts/webhook.py --host 0.0.0.0 --port 8787 > /tmp/vitavault-webhook.log 2>&1 &

The webhook listens for health data POSTs and saves snapshots to ~/vitavault/data/.

Step 3: Expose it over HTTPS

The VitaVault iOS app requires HTTPS (iOS App Transport Security). You MUST expose the webhook over HTTPS. Detect what's available and use the first option that works:

Option A: Tailscale Funnel (recommended if Tailscale is installed)

# Check if Tailscale is available
tailscale status 2>/dev/null
# If yes, expose via Funnel:
sudo tailscale funnel --bg --set-path /vitavault http://127.0.0.1:8787
# Your URL will be: https://<your-tailscale-hostname>/vitavault
tailscale funnel status  # to see the URL

Option B: Cloudflare Tunnel (if cloudflared is installed)

cloudflared tunnel --url http://localhost:8787
# Gives you a temporary https://*.trycloudflare.com URL
# For permanent: set up a named tunnel with a custom domain

Option C: VPS with a domain + reverse proxy (nginx/caddy) If the host already has a domain with HTTPS (nginx, caddy, etc.), add a reverse proxy rule:

location /vitavault {
    proxy_pass http://127.0.0.1:8787;
}

URL would be: https://yourdomain.com/vitavault

Option D: ngrok (quick testing)

ngrok http 8787
# Gives you a temporary https://*.ngrok-free.app URL

Step 4: Verify it works

curl -s https://YOUR-URL/health
# Should return: {"ok": true}

Step 5: Give the user their credentials

Tell your user:

Open VitaVault on your iPhone -> Settings -> OpenClaw

Webhook URL: https://YOUR-URL Sync Token: <the token you generated>

Paste both in and tap Connect.

That's it. Once connected, VitaVault auto-syncs health data every time the app opens.

Step 6: Make it persistent (recommended)

The webhook should survive reboots. Create a systemd service:

cat > /tmp/vitavault-webhook.service << 'EOF'
[Unit]
Description=VitaVault Webhook Receiver
After=network.target

[Service]
Type=simple
User=$USER
Environment=VITAVAULT_SYNC_TOKEN=<TOKEN>
ExecStart=/usr/bin/python3 /path/to/skills/vitavault/scripts/webhook.py --host 127.0.0.1 --port 8787
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF
# Adjust paths and token, then:
sudo cp /tmp/vitavault-webhook.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now vitavault-webhook

Querying Health Data

Once data is syncing, use these scripts to read it:

# Latest snapshot summary
python3 scripts/summary.py

# Raw latest JSON
python3 scripts/query.py latest

# Last 7 days
python3 scripts/query.py week

# Date range
python3 scripts/query.py range 2026-02-01 2026-02-28

Data is stored locally at ~/vitavault/data/ as timestamped JSON files.

What You Can Do With the Data

Once synced, your agent can:

  • Track trends in steps, sleep, HRV, resting HR, blood oxygen
  • Compare current week vs prior week
  • Detect unusual drops/spikes and flag risks
  • Build morning health briefings
  • Generate doctor appointment summaries
  • Suggest habit changes based on actual data

Working with Manual Exports

Users can also export data manually from VitaVault (no webhook needed):

AI-Ready Format (Plain Text)

Pre-formatted for AI analysis. Users export from VitaVault and paste directly.

JSON Format

Structured data with nested metrics, dates, and units.

CSV Format

One row per day, opens in Excel/Google Sheets.

When a user shares an export:

  1. Acknowledge the data
  2. Highlight 2-3 key observations (positive and concerning)
  3. Give 3 specific, actionable recommendations
  4. Offer to dig deeper into any metric

Privacy

VitaVault sync data flows directly: iPhone -> your OpenClaw agent. No shared backend, no central relay, no third-party storage. Data is saved on your agent's host at ~/vitavault/data/ and nowhere else.

Links

Comments

Loading comments...