HealthFit-cn
v4.0.0个人全维度健康管理系统,中西医融合。当用户涉及运动训练计划、饮食营养建议、 健康数据记录追踪、中医体质辨识、节气养生、舌诊分析、性健康记录等话题时立即触发。 提供多位专业顾问(运动教练矩阵 / Dr. Mei 营养师 / Analyst Ray 数据分析师 / 中医养生顾问矩阵),运动教练按项目细分(田径、游泳、...
⭐ 0· 189·1 current·1 all-time
byChenChen@chenchen913
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (personal health management, training, nutrition, TCM, sexual-health logging) matches the provided files and SKILL.md. The skill reads/writes local profile and logs, routes questions to role files, and ships backup/export/init scripts — all coherent for a local health-recording skill.
Instruction Scope
SKILL.md explicitly instructs reading local data files (data/json/profile.json, onboarding_draft.json) and routing to agent role files. That is expected for a stateful health skill. The content-moderation layer is present for sexual-health topics. There are no instructions in SKILL.md to read unrelated system paths or environment variables.
Install Mechanism
The registry entry has no formal install spec, but README/AGENTS.md instructs git clone / npx commands that would fetch code from a GitHub account. Installing via those commands will pull and run third-party code — a standard but higher-risk action than an instruction-only skill. The included Python scripts are local and do not show network calls in the inspected snippets, but executing them requires caution.
Credentials
The skill requests no environment variables or external credentials (good). However, config.json indicates sensitive sexual-health data is stored in a separate file (private_sexual_health.json) and by default encryption is disabled (encrypt_sensitive: false). Backup/export scripts will exclude that file by default but can include it after interactive confirmation. Storing sensitive health data unencrypted by default is a proportionality/privacy concern.
Persistence & Privilege
Skill is not marked always:true and does not request elevated system privileges. It reads/writes only within its own data/ and db/ folders according to the provided scripts and SKILL.md, which is expected behavior for a local personal data skill.
Scan Findings in Context
[regex_scan_no_findings] expected: Static pre-scan reported no injection signals. That aligns with the visible code snippets which perform local file I/O and sqlite use without obvious network exfiltration in the reviewed files. Absence of findings is not proof of safety — review of all omitted files is still recommended.
Assessment
This skill appears to do what it claims (local health tracking, TCM and Western nutrition, role-based responses) and includes helper scripts for backups/exports. Before installing or running it: 1) Treat the repository as third‑party code — the README suggests cloning or using npx which will download and run code; verify the source (GitHub user) and review code you will run. 2) Sensitive-data note: private_sexual_health.json is stored locally but config.json shows encryption is disabled by default; consider enabling encryption or securing that file, and confirm the 'require_double_confirm' behavior meets your needs. 3) Backup/export scripts can include sensitive files after interactive confirmation — verify logs and backup locations to avoid accidental cloud sync. 4) Some runtimes (Claude Code, etc.) can execute the included Python scripts; only allow script execution in a trusted, sandboxed environment and inspect scripts for network or exec calls before running. 5) If you need stronger guarantees, request an audited package release (signed/release archive) or run the skill in an isolated VM/container and set encrypt_sensitive to true in config.json. If you want, I can list exact lines to change to enable encryption or show how to inspect the remaining omitted files for network I/O.Like a lobster shell, security has layers — review code before you run it.
fitnessvk971cgdgejygkxfw57sqc1344s84fm8ghealthvk971cgdgejygkxfw57sqc1344s84fm8glatestvk971cgdgejygkxfw57sqc1344s84fm8gwellnessvk971cgdgejygkxfw57sqc1344s84fm8g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.