ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wellness Coach AI

v1.0.0

Launch a personalized AI wellness coach video session (Baymax persona) using Tavus CVI + Claude. Fetches real wearable health data (sleep, HRV, recovery) and...

0· 42·0 current·0 all-time
byAndre Chuabio@andrechuabio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires ANTHROPIC and TAVUS credentials and describes integrating Oura/Fitbit/Google Calendar and Telegram. However the registry metadata lists no required environment variables or credentials — a clear mismatch. Asking for wearable tokens and calendar OAuth is coherent with the wellness purpose, but the metadata omission and requests for multiple external service credentials are disproportionate to what the registry claims.
!
Instruction Scope
Runtime instructions direct the agent/operator to clone and run a backend (uvicorn) and cron scripts that fetch health data, create live Tavus sessions, and send Telegram briefings. They include a /debug-env endpoint to 'check all API keys are loaded' (which could expose secrets if accessible) and an OpenClaw HEARTBEAT entry that instructs the agent to forward formatted messages 'as-is' — enabling automated, verbatim message forwarding. These behaviors go beyond a simple query/response skill and introduce automation and potential data exposure.
!
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md directs users to git clone https://github.com/AndreChuabio/wellness-coach and pip install requirements from that repo. That effectively causes a third-party code download and execution on the host. Because the skill bundle itself does not include the code and the upstream repo owner is external/unknown relative to the registry owner, this raises risk unless you audit the repository first.
!
Credentials
The documentation lists multiple sensitive env vars (ANTHROPIC_API_KEY, TAVUS_API_KEY, TAVUS_REPLICA_ID, TAVUS_PERSONA_ID, OURA/Fitbit tokens, Google credentials/token, and implicitly a Telegram bot token) but the registry metadata claims none are required. Some required tokens (e.g., Telegram bot token) are not explicitly documented in SKILL.md. The number and sensitivity of secrets requested is high and not reflected in the package metadata — a proportionality and transparency problem.
!
Persistence & Privilege
The skill itself is not 'always: true', but the instructions ask you to register a daily OpenClaw cron and add an OpenClaw HEARTBEAT.md entry that will cause an agent to automatically run the pipeline and forward messages. Combined with the ability to send Telegram messages verbatim and the presence of a /debug-env endpoint, this grants ongoing automation with access to sensitive tokens and outbound delivery channels — increasing the blast radius if abused.
What to consider before installing
Do not run or deploy this code without review. Key checks before installing: (1) Verify the GitHub repository contents and the identity/reputation of the repo owner; inspect backend/cron/send_briefing.py and backend/context_builder.py for any data exfiltration or unexpected network calls. (2) Don’t expose the /debug-env endpoint publicly — it may reveal secrets. (3) Confirm exactly which environment variables are required (including Telegram bot token) and scope them to least privilege; prefer creating tokens with minimal permissions and rotate them after testing. (4) If you enable the OpenClaw cron/heartbeat automation, ensure the recipient and message formatting are correct and consider requiring manual confirmation rather than verbatim automatic forwarding. (5) Test in an isolated environment (VM/container) and review network activity during a dry run. If you cannot or will not audit the upstream code, treat this skill as untrusted and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

ai-coachvk97bzzrrgs7bt6k58tafkswrqn84mxvfhealthvk97bzzrrgs7bt6k58tafkswrqn84mxvflatestvk97bzzrrgs7bt6k58tafkswrqn84mxvfmeditationvk97bzzrrgs7bt6k58tafkswrqn84mxvftavusvk97bzzrrgs7bt6k58tafkswrqn84mxvfwellnessvk97bzzrrgs7bt6k58tafkswrqn84mxvf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments