v1.0.0

Health Guardian

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:24 AM.

Analysis

This skill is broadly aligned with health monitoring, but it needs review because it handles sensitive Apple Health data, sets up recurring agent activity, and makes privacy and medical-capability claims that the artifacts do not fully support.

GuidanceReview carefully before installing. Only use it with clear consent from the person whose health data is monitored, verify the exact Apple Health/iCloud folder being read, protect or encrypt the local data directory, and do not enable cron or external alerts until recipients and privacy expectations are confirmed. Do not rely on this as a complete medical safety system unless the advertised checks are implemented and independently validated.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

- **Apple Health** via Health Auto Export (iCloud sync) ... Configure: JSON format, iCloud Drive sync, hourly export ... **Privacy:** Nothing leaves your machine. No cloud. No telemetry.

The privacy statement conflicts with the required iCloud-based export flow for health data, and the skill also presents external alerting options. This can make users underestimate cloud/provider exposure.

User impactA user may believe health data never touches cloud services even though the setup relies on iCloud sync and may use external alert channels.

RecommendationReplace the 'no cloud' claim with a precise data-flow disclosure covering Health Auto Export, iCloud, local storage, and any alert channels.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

39 metrics supported ... Missed medication inference ... UTI pattern detection ... Pressure injury prevention ... Medication interactions

These are high-trust medical monitoring claims. The provided analyzer only evidences temperature, heart-rate, and sleep checks, the importer maps far fewer metrics than claimed, and the manifest does not include the advertised scripts/summary.py.

User impactCaregivers or users could rely on alerts for medication, UTI, pressure-injury, or other chronic-condition risks that the included artifacts do not actually demonstrate.

RecommendationNarrow the advertised capabilities to what is implemented, add clear human-review/medical-safety guidance, and include tested code for any high-stakes health claims.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Set Up Cron Import ... "expr": "0 * * * *" ... "text": "Run health import and check for anomalies" ... Add to Heartbeat

The skill asks the user to create recurring agent activity. This is disclosed and aligned with proactive monitoring, but it persists beyond a single invocation.

User impactOnce enabled, the agent may continue importing health data and checking for anomalies hourly until the cron/heartbeat entry is removed.

RecommendationEnable the schedule only after verifying paths, recipients, and alert behavior; document how to pause or remove the cron and heartbeat entries.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/import_health.py

HEALTH_EXPORT_PATH = os.path.expanduser("~/Library/Mobile Documents/iCloud~com~ifunography~HealthExport/Documents")
AUTOSYNC_PATH = os.path.join(HEALTH_EXPORT_PATH, "AutoSync/HealthMetrics")

The importer reads a fixed iCloud Health Export directory. The advertised config includes a data_source setting, but this script does not load config.json, so user configuration does not appear to bound the health-data read scope.

User impactThe skill may read sensitive Apple Health export data from a hard-coded location even if the user expected configuration to control the source path.

RecommendationLoad and honor a user-configured data_source, declare the required local/iCloud path in metadata, and require explicit consent for the exact health-data directory.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

"alert_channel": "telegram" ... If health data shows anomalies, alert human via preferred channel.

The skill contemplates sending health anomaly alerts through an external messaging/provider channel, but artifacts do not define recipient validation, consent, content minimization, or provider privacy boundaries.

User impactSensitive health alerts could be sent to an external service or unintended recipient if an agent follows the alert instructions without careful configuration.

RecommendationRequire explicit recipient/channel configuration, minimize health details in messages, and confirm user/caregiver consent before enabling external alerts.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

All data stays local in `data/`: - `readings.json` — raw metric values with timestamps - `baselines.json` — calculated normal ranges per metric - `alerts.json` — triggered alerts history - `patterns.json` — detected correlations

The skill stores persistent health readings, baselines, alerts, and patterns for reuse. This is purpose-aligned, but the data is highly sensitive and could be exposed by backups, other agents, or shared folders.

User impactPrivate health history may remain on disk and be reused or viewed outside the original monitoring task.

RecommendationStore the data directory in a protected location, exclude it from source control and broad agent memory, define retention/deletion rules, and consider encryption.