Withings MCP
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: withings-mcp Version: 0.1.1 The skill bundle provides instructions for an AI agent to install and configure the 'withings-mcp-unofficial' package via npx to access Withings health data. The SKILL.md file includes explicit safety guidelines directing the agent not to expose OAuth tokens or private user data stored in ~/.withings-mcp/, and the overall logic is consistent with its stated purpose of providing a Model Context Protocol (MCP) interface for health metrics.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Connecting this skill can allow an MCP client to access private Withings health and wellness records through the authenticated account.
The skill requires OAuth-backed access to a Withings account, which is expected for this connector but gives the MCP package delegated access to sensitive account data.
Withings signed OAuth tokens stay under ~/.withings-mcp/.
Only authenticate with a Withings account you intend to expose to the MCP client, and do not share or print token files.
The actual code handling setup, authentication, and data access will come from the npm package resolved at install/runtime.
The setup directs users to execute an external npm package without a pinned version, while the provided artifact set contains only documentation and no package source for review.
npx -y withings-mcp-unofficial setup
Verify the npm package and linked repository before running setup, and consider pinning a known-good version if supported.
If the connected MCP server supports mutations or live calls, an agent could affect provider-side or local data unless the user keeps approval boundaries clear.
The documentation acknowledges possible live provider calls or writes, but it also gives safer sequencing guidance and calls for explicit consent.
Prefer connection_status, manifest, doctor, privacy_audit, or dry-run surfaces before any write or live provider call.
Use status, manifest, privacy audit, and dry-run modes first, and require explicit user approval before any write or live provider action.
A trusted MCP client may receive health-related data such as body composition, sleep, activity, workouts, and heart records.
The skill is intended to expose Withings data through MCP-compatible clients, which is expected but creates a sensitive data boundary between the local connector and any configured agent.
helping Claude, Codex, Cursor, Hermes, OpenClaw, or another MCP-compatible client use this project
Configure the MCP server only in clients you trust, and review what data the client can request before using it.