Back to skill
Skillv0.0.1
ClawScan security
Slug Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 15, 2026, 11:50 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The instructions are internally consistent with streaming Apple Health data, but the skill omits provenance (no source/homepage), instructs you to run npx to fetch and execute a remote package, and recommends exposing sensitive health data via public tunnels — these gaps warrant caution before installing.
- Guidance
- What to consider before installing or running this: - Provenance: The skill bundle provides no source repository, homepage, or code files; SKILL.md tells you to run `npx healthclaw-webhook-server` which will download and execute code from npm. Before running, find and review the package on npm/GitHub (package name and version), inspect its source, and verify an official author or release artifact. If you cannot verify the upstream source, do not run `npx` on a package handling sensitive health data. - Least privilege and protection: The instructions reference an ADMIN_TOKEN but do not require it. If you run the server, set a strong ADMIN_TOKEN and verify admin endpoints are actually protected. Default or missing admin credentials could allow strangers to pair devices or read users. - Network exposure: The skill recommends exposing your server via Tailscale Funnel / Cloudflare Tunnel / ngrok so an iPhone can reach it. Exposing health data to the public internet substantially increases risk. Prefer Tailscale (authenticated, zero-trust tailnet) over public tunnels; if you must use a tunnel, restrict access, use HTTPS, and rotate pairing tokens frequently. - Sandbox/testing: Run the server in a sandboxed environment (container, dedicated user account, VM) and not on a machine that holds other sensitive secrets. Check what files it writes and what ports it opens before trusting it with real health data. - Data handling: The server stores an append-only JSONL of health records. Ensure filesystem permissions are restricted, encrypt backups if needed, and regularly audit the file for unexpected recipients. Understand how the iOS companion stores/sends tokens. - Things that would increase confidence: a published source repo or GitHub release that you can audit, an official npm package with a known maintainer, checksums/signatures for binaries, or an App Store–published iOS companion app. If the maintainer provides these, re-run the assessment. Given the sensitivity of health data and the lack of provenance for the server code, treat this skill as suspicious until you can confirm the upstream package and review its code/configuration.
Review Dimensions
- Purpose & Capability
- noteThe name/description (stream Apple Health data to a local webhook for analysis) aligns with the SKILL.md flow (webhook server, pairing, health-data.jsonl storage). However, the metadata declares no required env vars or install steps while the runtime instructions reference optional env vars (PORT, HEALTHCLAW_DATA_DIR, ADMIN_TOKEN) and an npm package (healthclaw-webhook-server) — that mismatch is an inconsistency in declared requirements vs. runtime needs.
- Instruction Scope
- noteThe SKILL.md stays on-topic (pairing, sync endpoints, storage, admin API). It does instruct you to expose the server to the public internet (Tailscale Funnel, Cloudflare Tunnel, ngrok) so your device can reach it and to run admin API calls (generate pairing, create users). Those steps are necessary for the stated purpose but increase the exposure of very sensitive health data; the instructions do not provide security defaults (e.g., require ADMIN_TOKEN) nor explicit guidance on safe configuration beyond optional tips.
- Install Mechanism
- concernThere is no install spec in the registry entry; the instructions tell the user to run `npx healthclaw-webhook-server`, which will download and execute code from the npm registry at runtime. Because no source repository, homepage, release URL, or checksum is provided, there's no provenance or verification step for that code — this is a meaningful installation risk for arbitrary code execution.
- Credentials
- noteThe skill metadata lists no required environment variables or credentials, but the SKILL.md references optional env vars (PORT, HEALTHCLAW_DATA_DIR, ADMIN_TOKEN) and recommends using third-party tunneling services (Tailscale/ngrok/cloudflared). The lack of declared env vars in the registry combined with runtime reliance on an ADMIN_TOKEN (for admin endpoints) is an inconsistency the user should be aware of. The skill does not request unrelated credentials, but it will require network and tunnel credentials in practice.
- Persistence & Privilege
- notealways:false and no code included in the skill bundle mean the skill itself doesn't demand permanent platform-level presence. However, the runtime use-case involves persistent local storage of sensitive health data (health-data.jsonl) and potential continuous services (LaunchAgent/systemd, Tailscale Funnel). Autonomous model invocation is allowed (platform default) — combine that with remote package execution and public exposure raises the blast radius.