Apple Health MCP
PassAudited by ClawScan on May 6, 2026.
Overview
The skill is coherent and privacy-aware, but it handles sensitive Apple Health export data and tells users to run an external npm package that was not included for review.
Before installing, verify the `apple-health-mcp-unofficial` package and linked repository, use a local Apple Health export you are comfortable sharing with the MCP client, and avoid providing OAuth tokens or cloud credentials unless you independently confirm they are necessary.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup will execute code from the referenced package on the user's machine.
The setup path relies on an external npm package run through npx, and the reviewed artifact set contains only instructions, not the package code. This is purpose-aligned setup behavior, but the executable provenance is not reviewed here.
`npx -y apple-health-mcp-unofficial setup --export-path /path/to/export.zip`
Verify the npm package and linked repository before running it; consider pinning a trusted version instead of relying on the latest package.
The connected agent may be able to inspect and summarize personal health, activity, sleep, and workout history from the provided export.
The skill is explicitly designed to make private health information available to an agent as working context. This is disclosed and purpose-aligned, but health data is highly sensitive.
Read a local Apple Health export and expose activity, sleep, heart, HRV, workouts, and long-term trends to agents.
Use only an export you intend to share with the MCP client, keep transcripts private, and run the listed privacy-audit/status surfaces before asking broad health questions.