ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VITA — Longevity Intelligence

v1.0.0

Access the user's personal health data from VITA, their longevity platform. Use this when the user asks about their health, how they're feeling today, sleep,...

0· 309·0 current·0 all-time
byVitaDAO@dobrinalexandru
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (access personal VITA health data) align with the runtime instructions which show how to call VITA's API; required credentials (an API key and API URL) are what you'd expect for this integration.
Instruction Scope
SKILL.md instructs storing VITA_API_KEY and VITA_API_URL in ~/.openclaw/openclaw.json and shows curl calls using those variables; this is within scope but you should be aware secrets are placed in the agent config file rather than only ephemeral environment variables.
Install Mechanism
No install spec or code is included (instruction-only). No downloads, packages, or binaries are requested, minimizing install-time risk.
Credentials
Only two items are used: an API key and the API URL. Those are proportional to the stated purpose and no unrelated credentials or system paths are requested.
Persistence & Privilege
always is false and the skill does not request system-wide privileges or to modify other skills; autonomous invocation is allowed by platform default but not exceptional here.
Assessment
This skill appears coherent and only needs your VITA API key and API URL. Before installing: (1) confirm the API key is generated from your VITA account and scope is limited if possible; (2) understand you are placing the secret into ~/.openclaw/openclaw.json—ensure that file's filesystem permissions are secure and that you are comfortable storing health data credentials there; (3) verify the API URL domain (app.vitadao.com) is correct for your account; (4) because the skill source is unknown, prefer to create a revocable key and revoke it if you stop using the skill. Autonomous agent invocation is allowed by default — if you want to restrict automatic calls, change your agent/skill invocation settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk976teg6g2ywyhvbkpg9pf7y1s821rte

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments