Skillv1.3.0

ClawScan security

Vitavault · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 7:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (runs a local webhook and saves Apple Health snapshots) but contains a few mismatches and system-impacting instructions (public HTTPS exposure, systemd install, and an unexplained cloud-API client) that merit caution before installation.
Guidance: Before installing or running this skill, consider the following: 1) Health data is highly sensitive — exposing an HTTP(S) webhook to the public (even via tunnels) risks leakage if the sync token is misconfigured, leaked, or omitted. Ensure the VITAVAULT_SYNC_TOKEN is set, long, and stored securely. 2) The SKILL.md repeatedly promises "no middleman," but scripts/query.py requires a VITAVAULT_API_URL (a cloud API endpoint) — ask the developer what that cloud client is for and whether it will send or pull data from an external server. 3) The instructions create a systemd service and recommend sudo operations; only proceed if you trust the code and understand how to adjust file paths, service user, and firewall rules. 4) Prefer Tailscale Funnel or a private domain behind your own reverse proxy over public temporary tunnels for long-term use; temporary tunnels (ngrok, trycloudflare) are fine for short tests but not recommended for production health sync. 5) Review the shipped Python scripts yourself (or run them in an isolated VM/container) — the webhook code shown saves incoming payloads locally and does not call external endpoints, but the query client will contact whatever URL you set in VITAVAULT_API_URL. 6) If you accept the setup, perform an initial test with innocuous data, verify Authorization header enforcement, and restrict exposure (use firewall rules, Tailscale, or private domain). If you need more certainty, ask the skill author to explicitly document the cloud API behavior and to include a manifest of which components are optional (local webhook vs cloud client).

Review Dimensions

Purpose & Capability: concernMost files (webhook.py, import.py, summary.py, briefing.py) align with the stated purpose of receiving and processing Apple Health data locally. However, scripts/query.py is written as a client for a VitaVault cloud API and requires VITAVAULT_API_URL — this conflicts with the SKILL.md's repeated claim of a direct phone→agent flow with "No shared servers, no middleman." The presence of both a local webhook receiver and a cloud-API client is plausible (optional features), but the mismatch is unexplained in the documentation and registry metadata.
Instruction Scope: concernThe SKILL.md instructs the agent to generate tokens, run a background webhook, expose that webhook publicly (Tailscale Funnel, cloudflared, ngrok, or reverse proxy), and create/enable a systemd service. These steps touch system-level configuration, require sudo in places, and create a publicly reachable HTTPS endpoint that will receive sensitive health data — all of which are consistent with a webhook receiver but are high-impact operations and should only be done with explicit user consent and careful setup.
Install Mechanism: okThere is no automated install spec (no downloads or arbitrary archives). The skill ships Python scripts and an instruction-only setup flow; nothing writes arbitrary third-party binaries to disk. This is lower risk than an automated remote download/install, though running the provided commands will create files and services locally.
Credentials: concernThe registry metadata declares no required env vars, but the shipped code and SKILL.md use VITAVAULT_SYNC_TOKEN (for webhook auth) and query.py requires VITAVAULT_API_URL (and optionally VITAVAULT_SYNC_TOKEN). The VITAVAULT_SYNC_TOKEN is proportional to the webhook purpose, but the required VITAVAULT_API_URL for the cloud query is not justified by SKILL.md's 'no middleman' claim. There are no unrelated credentials requested, but the public exposure instructions increase the risk of accidental data exposure if auth or tunnel configuration is misused.
Persistence & Privilege: concernThe guide recommends creating a systemd service and enabling it with sudo, which grants persistent, system-level presence and a network-exposed listener. The skill does not set always: true, but the suggested systemd install is a persistent privilege and should be treated as a deliberate, high-impact change requiring the user's explicit approval and careful configuration (paths, token, user account, firewall).