Skillv1.0.1

ClawScan security

Health Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 1:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (collect Garmin data, assemble prompts, call NotebookLM, and produce reports) but there are privacy and scope inconsistencies you should understand before installing.
Guidance: This skill is internally consistent for a Garmin-based health coach, but pay special attention to privacy: it sends your wearable metrics and history to NotebookLM (Google) via the notebooklm CLI, despite marketing language that suggests 'local-only' analysis. Before installing or running: 1) Decide whether you are comfortable sending health metrics to Google/NotebookLM; review NotebookLM's privacy policy. 2) Inspect and run the included install.sh in a safe/isolated environment (e.g., a disposable VM) because it will pip install packages and download a Chromium browser. 3) Note that garth stores Garmin session tokens in ~/.garth — protect that directory and verify its contents. 4) The skill stores config and history under ~/.openclaw/data/health-assistant (config.json set to 0o600), but the user email is stored in plain text and health records are kept locally for 30 days; consider whether that storage location meets your privacy requirements. 5) If you require strictly local analysis, do not authenticate NotebookLM (or replace NotebookLM with a local LLM); otherwise assume your prompts and health metrics will be transmitted to Google. 6) If you want higher assurance, have a developer review the code and verify network calls (or run in a network-restricted sandbox) before linking real accounts.

Review Dimensions

Purpose & Capability: okThe name/description match the code: the skill uses the garth client to read Garmin wearable data, builds a prompt, and calls NotebookLM via its CLI to generate recommendations. The included install script and requirements target those components. Some claimed future features (Apple/ Fitbit) are listed in docs but not implemented yet — that’s a minor product vs. implementation mismatch.
Instruction Scope: concernThe runtime instructions and code send detailed health metrics and history to NotebookLM (a Google-hosted service) via the notebooklm CLI. The README/PRD emphasize 'No Cloud Data Transfer' and 'local analysis' while simultaneously instructing the user to log in to NotebookLM and to run the 'notebooklm ask' command — this is a direct privacy/scope contradiction. The prompt templates include user-specific concerns and history (and the setup stores the user email), so sensitive biometric/health data and contextual metadata will be transmitted to a third-party LLM service unless the user runs NotebookLM in an isolated/local deployment (which is not documented). The skill relies on the NotebookLM tool to respect the privacy rules in the prompt, but that is an operational trust assumption rather than a technical enforcement.
Install Mechanism: noteThere is no registry 'install' entry but an install.sh and requirements.txt are included. install.sh will create a venv, pip install garth and notebooklm-py[browser], and run Playwright to download Chromium — these actions fetch external packages and browser binaries (normal for NotebookLM browser login). This is expected for the stated functionality but does involve downloading third-party code and a browser engine; review/verify these components before running the installer.
Credentials: noteThe skill declares no required environment variables, which aligns with what is needed. It does rely on local session/config files (e.g., ~/.garth for Garmin sessions and ~/.notebooklm_session for NotebookLM) and writes config/history to ~/.openclaw/data/health-assistant. Storing the user email in config is explicit and noted in docs. The code sets config.json permissions to 0o600 (good), but sensitive health data and user identifiers are still stored locally and may be included in prompts sent to NotebookLM.
Persistence & Privilege: okThe skill does not request elevated platform privileges and 'always' is false. It stores its own config/history under ~/.openclaw/data/health-assistant and does not attempt to modify other skills or global agent settings. Autonomous invocation (default) is allowed by platform policy but is not combined here with unusually broad credential requests.