Heartrate
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a local heart-rate logging tool with no evidenced network, credential, or destructive behavior, but it does persist sensitive health entries on disk and has unclear CLI installation metadata.
This appears suitable as a local-only heart-rate log. Treat the entries as sensitive health data, verify the `heartrate` command comes from a trusted source, and manage or delete the local data files when you no longer need them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Heart-rate readings and related notes may remain on disk and could be visible to anyone with access to the user account or local backups.
The skill intentionally persists heart-rate and goal-related entries, which are sensitive personal health data, in a local directory and can create exports.
All data is stored locally at `~/.local/share/heartrate/`. Each action is logged with timestamps. Use `export` to back up your data anytime.
Use it only on a trusted device, avoid entering unnecessary sensitive details, and periodically review or delete the local data directory and exports if needed.
A user or agent may rely on an externally installed `heartrate` command, so the command actually executed should be verified.
The package includes a shell script and the documentation assumes a `heartrate` command, but the install metadata does not declare how that command is installed or what binary should exist.
No install spec — this is an instruction-only skill. Code file presence: scripts/script.sh
Before running commands, confirm that `heartrate` resolves to the reviewed packaged script or another trusted executable.