health-sync
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for health analysis, but it may sync and store Eight Sleep data for bed occupants or related users, not just the installing user.
Review before installing. Only use this on a trusted host, because it stores provider credentials and detailed health data. If you connect Eight Sleep, verify whether partner/bed-occupant data will be synced and get consent or disable that collection. Also review the external health-sync npm package before uploading the encrypted credential archive.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The bot could sync, store, and analyze a partner's or household member's sleep/profile data without that person clearly consenting through this skill.
The stated skill purpose focuses on the user's health data, but this reference describes ingesting profiles for other bed occupants or related users from Eight Sleep.
### `users` (Bed Occupants / Related Users) ... gathered from: current user id, devices.result.leftUserId, devices.result.rightUserId, devices.result.awaySides.*
Restrict Eight Sleep syncing to the authenticated/current user by default, or clearly disclose related-user collection and require explicit consent or an exclusion option.
Anyone with access to the bot host or backups could potentially access health records or provider tokens.
The skill persistently stores provider credentials and a local health database on the bot host, which is expected for sync but sensitive.
Expected local working paths: ... workspace/health-sync/.health-sync.creds ... workspace/health-sync/health.sqlite ... Finish flow writes decrypted secrets to local files on the bot host.
Use this only on a trusted host, protect the credential and SQLite files, define retention/deletion practices, and revoke provider access when no longer needed.
A normal health question may refresh data from connected providers before the answer is produced.
The agent is instructed to execute a local CLI sync before analysis; this is disclosed and purpose-aligned, but it can contact providers and update local data automatically.
Before any analysis, always run: `npx health-sync sync`
Confirm which providers are enabled and ask for stale-data analysis if you do not want a fresh sync for a particular request.
The security of credential handling and syncing depends on the external health-sync package and its publisher.
The main runtime behavior comes from an external npm package rather than code included in the reviewed skill artifacts.
node | package: health-sync | creates binaries: health-sync
Review or pin the npm package version/source before connecting sensitive health accounts.