ClawHub

healthsync

Security checks across malware telemetry and agentic risk

Overview

This is a coherent read-only Apple Health query skill, but users should treat the health data, installer, and optional server mode carefully.

Install only if you trust the external healthsync CLI and are comfortable letting an agent read Apple Health export data. Prefer a verifiable or pinned install method over piping a remote script into bash, keep queries narrow, avoid sharing raw JSON/CSV health records unnecessarily, and do not start the HTTP server unless you understand how it is bound and secured.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is explicitly designed to access highly sensitive health information, including cardiac, sleep, blood pressure, and body metrics, but it does not provide a clear privacy warning or guidance on minimizing exposure in outputs. In an agent setting, this increases the risk of unnecessary disclosure, over-collection, or accidental sharing of regulated/sensitive personal data.

External Script Fetching

High
Category
Supply Chain
Content
```bash
# macOS and Linux (recommended)
curl -fsSL https://healthsync.sidv.dev/install | bash

# Or via Go
go install github.com/BRO3886/healthsync@latest
Confidence
98% confidence
Finding
curl -fsSL https://healthsync.sidv.dev/install | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS and Linux (recommended)
curl -fsSL https://healthsync.sidv.dev/install | bash

# Or via Go
go install github.com/BRO3886/healthsync@latest
Confidence
97% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal