Withings MCP
ReviewAudited by ClawScan on May 6, 2026.
Overview
This instruction-only skill is coherent for Withings MCP setup, but it involves an external npm package, OAuth tokens, and sensitive health data, so users should verify trust before connecting it.
Before installing, confirm that you trust the withings-mcp-unofficial npm package and the linked project, then authenticate only if you are comfortable letting the configured MCP client access your Withings health data. Keep OAuth token files private, run audit/status checks first, and require explicit approval for any write or live provider action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Connecting this skill can allow an MCP client to access private Withings health and wellness records through the authenticated account.
The skill requires OAuth-backed access to a Withings account, which is expected for this connector but gives the MCP package delegated access to sensitive account data.
Withings signed OAuth tokens stay under ~/.withings-mcp/.
Only authenticate with a Withings account you intend to expose to the MCP client, and do not share or print token files.
The actual code handling setup, authentication, and data access will come from the npm package resolved at install/runtime.
The setup directs users to execute an external npm package without a pinned version, while the provided artifact set contains only documentation and no package source for review.
npx -y withings-mcp-unofficial setup
Verify the npm package and linked repository before running setup, and consider pinning a known-good version if supported.
If the connected MCP server supports mutations or live calls, an agent could affect provider-side or local data unless the user keeps approval boundaries clear.
The documentation acknowledges possible live provider calls or writes, but it also gives safer sequencing guidance and calls for explicit consent.
Prefer connection_status, manifest, doctor, privacy_audit, or dry-run surfaces before any write or live provider call.
Use status, manifest, privacy audit, and dry-run modes first, and require explicit user approval before any write or live provider action.
A trusted MCP client may receive health-related data such as body composition, sleep, activity, workouts, and heart records.
The skill is intended to expose Withings data through MCP-compatible clients, which is expected but creates a sensitive data boundary between the local connector and any configured agent.
helping Claude, Codex, Cursor, Hermes, OpenClaw, or another MCP-compatible client use this project
Configure the MCP server only in clients you trust, and review what data the client can request before using it.