open-health-link
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the token file may be able to query the linked breo health data through the provider API.
The skill stores and reads breo authorization tokens from specific local files, including legacy locations. This is expected for account binding, but it grants access to the user's breo-linked health data.
export const TOKEN_FILE = join(OPEN_HEALTH_LINK_DATA_DIR, "token.json"); ... TOKEN_FALLBACK_FILES = [join(..., ".openclaw", "open-health-link", "token.json"), join(..., ".openclaw", "breo-scalp5", "token.json")]
Install only if you intend to link your breo account; use the skill's unlink/clear flow when finished, and avoid sharing the skill data directory.
The skill may download and install JavaScript packages into its scripts directory before running.
The skill may invoke npm to install a Node dependency before first use. This is purpose-aligned for QR-code generation and requires confirmation, but it is still local command execution and package installation.
首次使用或依赖缺失时,先告知用户将进行依赖安装并征得确认,然后执行: npm ci --prefix "{baseDir}/scripts" --omit=dev --no-audit --no-fund --registry=https://registry.npmmirror.comApprove the dependency installation only if you trust the skill publisher and are comfortable using the configured npm mirror and included lockfile.
The skill relies on third-party npm code to generate QR images.
The skill depends on the external qrcode npm package. A package-lock is included, which reduces but does not eliminate normal dependency supply-chain risk.
"dependencies": { "qrcode": "^1.5.4" }Keep the lockfile intact and avoid modifying the install command or dependency source unless you have reviewed the replacement.
Care-plan text may change when the remote knowledge base changes, affecting the advice the assistant summarizes.
Care-plan explanations are retrieved from a remote CSV knowledge base. The code pins the host and path and enforces HTTPS and size limits, so this is bounded and purpose-aligned, but the retrieved content influences the assistant's health-management advice.
const DEFAULT_CSV_URL = "https://breo-obs.obs.cn-south-1.myhuaweicloud.com/agents/plan-catalog.csv"; ... if (parsed.hostname !== ALLOWED_CSV_HOST || parsed.pathname !== ALLOWED_CSV_PATH) { throw new Error("方案知识库来源不受信任。"); }Treat care-plan recommendations as informational health-management guidance and consult a qualified professional for persistent or serious symptoms.