OpenClaw Health Brief
v1.0.0Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary.
⭐ 2· 1.2k·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code matches the stated purpose (fetch Oura/WHOOP/Withings, normalize, render a brief). However the registry metadata declared no required env vars or binaries while the implementation expects the 1Password CLI ('op'), OP_SERVICE_ACCOUNT_TOKEN / OPENCLAW_1P_VAULT when using 1Password, and various provider tokens as env var fallbacks. The omission in the manifest is an inconsistency.
Instruction Scope
SKILL.md stays within the expected scope (authorize providers via OAuth, run reauth, run brief, add cron). It explicitly instructs storing tokens in 1Password and in a local file (~/.openclaw/secrets/health_tokens.json). The instructions do not appear to request unrelated system data, but they do direct the agent to open a browser for OAuth and to source an existing gateway.env in cron — both of which assume access to local environment and secrets.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain footprint, but the package contains executable Python CLI code and expects external tooling (the 'op' CLI). The absence of an install step means the user is responsible for installing Python dependencies and the 'op' binary; this should have been declared.
Credentials
The skill will read and use many sensitive environment variables and external secrets (OP_SERVICE_ACCOUNT_TOKEN, OPENCLAW_1P_VAULT, WHOOP_*/OURA_*/WITHINGS_*). The registry lists none of these. The code also calls the 'op' CLI via subprocess to read (and optionally write) 1Password items — a high-privilege operation. WRITEBACK to 1Password is gated by OPENCLAW_1P_WRITEBACK=1, but that flag is not highlighted in the manifest. The local secrets file (~/.openclaw/secrets/health_tokens.json) is created and persisted (chmod 600 attempted). Because secrets are accessed and persisted, the declared requirements are insufficient and the requested privileges are more than the manifest implies.
Persistence & Privilege
The skill persists rotated tokens to a local JSON file (~/.openclaw/secrets/health_tokens.json) and will attempt 1Password writeback if OPENCLAW_1P_WRITEBACK=1 and 'op' is available. always:false and no special platform-wide modifications are requested. This is expected for an OAuth token-handling CLI, but it expands the blast radius if you enable 1Password writeback — exercise caution.
What to consider before installing
This skill's code implements the described functionality, but the manifest omitted important operational requirements. Before installing or enabling it:
- Assume this will read secrets from your 1Password vault (via the 'op' CLI) if available and from environment variables otherwise. The skill will persist rotated tokens to ~/.openclaw/secrets/health_tokens.json (it attempts chmod 600).
- The skill can also write back refresh tokens to 1Password, but only if you set OPENCLAW_1P_WRITEBACK=1 and have the 'op' CLI and OP_SERVICE_ACCOUNT_TOKEN available — don't enable that flag unless you trust the code and its environment.
- The registry metadata did not declare required binaries or env vars; you should verify and install the 'op' CLI yourself and provide only the minimum secrets needed. Consider using environment-only tokens or a dedicated vault/service-account with least privilege.
- Review core/util/secrets.py and core/util/local_secrets.py to confirm they behave as you expect (they call subprocess.run('op') and atomically write a JSON file).
- If you don't trust the code or the unknown source/owner, don't enable writeback and run the smoke test (./bin/smoke) in an isolated environment first. Ask the publisher for a canonical source repository or homepage before deploying it into production/automated cron jobs.Like a lobster shell, security has layers — review code before you run it.
latest
OpenClaw Health Brief
Daily health metrics from Oura, WHOOP, and Withings → normalized JSON + Markdown brief.
Setup (3 steps)
Step 1: Configure secrets
Option A: 1Password (recommended)
export OP_SERVICE_ACCOUNT_TOKEN="your-token"
export OPENCLAW_1P_VAULT="Assistant" # or your vault name
Create items in your vault with these titles and fields:
OpenClaw Whoop→client_id,client_secret,token,refresh_tokenOpenClaw Oura→client_id,client_secret,token,refresh_tokenOpenClaw Withings→client_id,client_secret,access_token,refresh_token,user_id
See ./docs/1PASSWORD_CONVENTIONS.md for full field details.
Option B: Environment variables
# WHOOP
export WHOOP_ACCESS_TOKEN="..." WHOOP_REFRESH_TOKEN="..." WHOOP_CLIENT_ID="..." WHOOP_CLIENT_SECRET="..."
# Oura
export OURA_PERSONAL_ACCESS_TOKEN="..." # or OAuth: OURA_REFRESH_TOKEN + OURA_CLIENT_ID + OURA_CLIENT_SECRET
# Withings
export WITHINGS_CLIENT_ID="..." WITHINGS_CLIENT_SECRET="..." WITHINGS_REFRESH_TOKEN="..." WITHINGS_USER_ID="..."
Step 2: Authorize providers
python3 ./bin/health-reauth all
This opens your browser for each provider. Click authorize, and tokens are saved to both 1Password and ~/.openclaw/secrets/health_tokens.json automatically.
You can also re-auth individually: python3 ./bin/health-reauth whoop
Step 3: Run your first brief
./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "./out/daily_health_$(date +%F).json"
That's it. Token rotation is handled automatically — refreshed tokens persist to the local file so you don't need to re-auth again.
Add to OpenClaw cron
Wire it into your morning routine with an OpenClaw cron job:
openclaw cron add \
--name "morning-health-brief" \
--schedule "0 8 * * *" \
--tz "America/New_York" \
--session-target isolated \
--message 'Run the health brief:
source ~/.openclaw/secrets/gateway.env
export OPENCLAW_1P_VAULT=YourVault
./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "/tmp/daily_health_$(date +%F).json"
Read the JSON output. Report only non-null metrics with a Green/Yellow/Red rating.'
The cron job runs as an isolated agent session — it executes the brief, reads the output, and delivers a formatted summary to your preferred channel.
Smoke test (no creds needed)
./bin/smoke
Runs in sample mode, validates JSON schema. Good for checking the skill is installed correctly.
Troubleshooting
Check individual providers
./bin/whoop --date "$(date +%F)"
./bin/oura --date "$(date +%F)"
./bin/withings --date "$(date +%F)"
Common errors
has_token: false→ credentials not found. Check 1Password item names or env vars.refresh_failed→ refresh token expired. Runpython3 ./bin/health-reauth <provider>missing_credentials→ client_id/client_secret not set.
Validate output JSON
./bin/validate-json --in ./out/daily_health_YYYY-MM-DD.json
References
./docs/1PASSWORD_CONVENTIONS.md— field naming for 1Password items./docs/OURA.md,./docs/WHOOP.md,./docs/WITHINGS.md— provider API notes./docs/MORNING_BRIEF.md— morning brief intent and format
Comments
Loading comments...