HealthFit
ReviewAudited by ClawScan on May 1, 2026.
Overview
HealthFit appears purpose-aligned as a local health tracker, but it stores sensitive health and sexual-health data persistently and includes local backup/export scripts users should handle carefully.
Before installing, decide whether you are comfortable keeping health, body, nutrition, TCM, and possible sexual-health records in local files. Protect the data directory, review scripts before running backup/export/init commands, and be careful with exported files or any cloud-synced folders.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal health and sexual-health details may remain on disk across sessions and could be exposed by device sharing, backups, or cloud sync.
The skill persistently stores sexual-health records and other health profile data locally, with double confirmation configured but encryption disabled.
"sexual_health": "private_sexual_health.json" ... "require_double_confirm": true, "encrypt_sensitive": false
Only enter health details you are comfortable storing locally, keep the skill data folder out of shared or synced locations, and avoid storing highly sensitive sexual-health data until encryption is available.
Running export or backup commands can create extra copies of sensitive health records that may be easier to share, sync, or lose track of.
The export utility can copy local health JSON data into a separate export directory; private sexual-health export is gated by an explicit flag and verification.
parser.add_argument("--output", "-o", default="./healthfit_export" ...); ... shutil.copy2(json_file, dest)Run backup/export scripts only when you intend to, review the output directory, and use the private-data option only after considering where the exported files will go.
A user may not immediately realize the package contains local scripts that can read, write, back up, or export health data.
The registry/install metadata presents no install mechanism or required binaries, while the artifact bundle includes runnable Python helper scripts.
No install spec — this is an instruction-only skill. Code file presence: 4 code file(s): scripts/backup.py ... scripts/init_db.py
Review bundled scripts before running them, and the publisher should declare Python/helper-script expectations in the registry metadata.
Users could over-trust the skill because of its own review claims, despite the presence of sensitive persistent health data.
The project report includes self-attested safety/review claims; these should not replace independent review of the actual permissions and data handling.
Overall Rating: 9.5/10 (Six rounds of review passed) ... Zero RED FLAGS
Treat self-reported safety ratings as informational only and base installation decisions on the actual data storage, backup, and export behavior.