ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ultrahuman Analytics

v0.1.0

Advanced Ultrahuman analytics, trends, predictions, and reports. Use this skill when the user asks for weekly report, 7-day summary, recovery trend, sleep co...

0· 150·0 current·0 all-time
by@duzafizzl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes appropriate multi-day Ultrahuman analytics and consistently instructs the agent to call an ultrahuman_mcp tool (ultrahuman_get_daily_metrics). However, the skill registry metadata declares no required tools, binaries, or environment variables. The SKILL.md explicitly requires either an ULTRAHUMAN_EMAIL environment variable or the email provided in the user message — this dependency is not reflected in the metadata, which is an inconsistency.
Instruction Scope
Instructions are narrowly scoped to read-only analytics from per-date ultrahuman_get_daily_metrics calls and specify not inventing data. There are no instructions to read unrelated files or to post data to external endpoints other than the implied ultrahuman_mcp. The notable scope issue is the SKILL.md's reliance on ULTRAHUMAN_EMAIL or a provided email and the external ultrahuman_mcp tool; those runtime inputs are not declared in the skill manifest.
Install Mechanism
No install spec and no code files are present (instruction-only), so there is no installer download or archive-extract risk.
!
Credentials
The manifest lists no required environment variables, but the instructions refer to ULTRAHUMAN_EMAIL as a possible source for identifying the user account. If the skill needs an email or API keys to fetch personal health data, those credentials/inputs should be declared. The current omission is disproportionate to the skill's declared metadata and obscures what personal identifiers or secrets are needed.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; it does not appear to require persistent installation or system-wide configuration changes.
What to consider before installing
Before installing, verify two things: (1) how the ultrahuman_get_daily_metrics calls are actually performed — does your agent platform provide an ultrahuman_mcp tool and where is its authentication stored? (2) confirm whether the skill expects an ULTRAHUMAN_EMAIL environment variable or will ask the user for an email at runtime; this should be declared in the skill manifest. Because this skill reads sensitive personal health data (sleep, HRV, glucose), ensure you understand where those API requests will be sent, who holds the credentials, whether fetched data will be stored or logged, and that the user consents to pulling multiple days of data. If you plan to install, ask the publisher to update the manifest to declare required tools and any environment variables/credentials (or clarify that the ultrahuman_mcp tool handles auth) so you can assess proportionality and privacy implications.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xbbnwxpzv53rnh5275m76x82z0eq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments