apple-health-skills
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent local health-data query helper, but it exposes sensitive wellness data to the agent and includes optional Whoop setup/scheduled sync instructions that users should verify.
Use this skill only if you are comfortable letting the agent read and summarize your local health database. Confirm that .env points to the intended database/user, keep query windows narrow, and do not add Whoop credentials or schedule sync jobs unless you have reviewed the missing setup/sync scripts. Treat all guidance as informational, not medical advice.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When you ask for health summaries, the agent may run local Python commands and optionally contact your local collector health-check endpoint.
The skill explicitly asks the agent to use shell commands and an optional HTTP health check. These actions are disclosed and match the local health-query purpose.
Shell tool: run `scripts/query_health.py` to pull fresh JSON data. ... HTTP tool: optionally verify collector availability with `/healthz`
Use this only with a trusted local collector and database path; review any changed command parameters before broadening the query scope.
Your heart rate, glucose, sleep, live HR, and related health data may be visible to the agent during the session.
The skill is designed to retrieve personal health metrics and place them into the agent's working context for summarization.
Base your answer on the returned JSON fields: `generated_at`, `user_id`, `window_hours` ... `heart_rate,glucose,sleep_stage`
Only use the skill with data you are comfortable sharing with the agent, and avoid asking it to query wider windows than needed.
If you enable the Whoop portion, the setup may require credentials and tokens that grant access to your Whoop account data.
Optional Whoop setup involves provider credentials and stored OAuth tokens, but the registry metadata declares no credentials or required environment variables.
Add credentials to `.env`: `WHOOP_CLIENT_ID=<client-id>` `WHOOP_CLIENT_SECRET=<client-secret>` ... Authorize and store tokens: `python scripts/setup_whoop.py`
Before adding Whoop credentials, verify the setup/sync code you will run and confirm the requested account permissions are appropriate.
The documented Whoop setup may not work as packaged, or may require additional unreviewed code.
The Whoop instructions reference setup and sync scripts that are not present in the provided file contents, so their behavior cannot be assessed from these artifacts.
`python scripts/setup_whoop.py` ... `python scripts/sync_whoop.py --days 30`
Do not run missing or separately obtained helper scripts until you have reviewed their source and provenance.
A scheduled sync could continue collecting Whoop data after the initial setup until you disable it.
This is a user-directed scheduled task suggestion. It is disclosed and purpose-aligned, but it would create ongoing background syncing if the user enables it.
After setup, keep data fresh by running `sync_whoop.py` on a schedule (e.g. daily cron).
Only create a cron job if you want ongoing sync, and document how to disable or remove it.