Back to skill
Skillv0.1.0
ClawScan security
Withings (Official API) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 7:26 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for a Withings OAuth integration: the scripts contact only Withings endpoints, store tokens locally, and the runtime instructions match the code — but the registry metadata omits the environment variables the skill actually requires and the source/homepage is missing, so verify before installing.
- Guidance
- This skill appears to be a legitimate Withings OAuth client. Before installing: (1) confirm the registry metadata and SKILL.md agree — the skill needs WITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET, and WITHINGS_REDIRECT_URI; (2) only provide client credentials you control for personal use; (3) be aware the skill will save OAuth tokens to ~/.config/openclaw/withings/token.json (check and, if desired, change WITHINGS_TOKEN_PATH); (4) verify the skill source if possible (homepage/source is missing) and prefer published code from an official or trusted repo; and (5) if you stop using the skill, revoke the Withings token and delete the local token file.
Review Dimensions
- Purpose & Capability
- noteThe name/description (Withings OAuth integration) matches the code and instructions: it implements OAuth, fetches measurements/sleep, normalizes and renders results. However the registry metadata at the top lists no required environment variables while SKILL.md and the scripts require WITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET, and WITHINGS_REDIRECT_URI; this metadata mismatch is likely a packaging/manifest omission and should be corrected.
- Instruction Scope
- okSKILL.md instructs the agent to run local Python scripts that only access declared env vars, run a local loopback listener optionally, call Withings endpoints (account.withings.com and wbsapi.withings.net), and read/write a token file under ~/.config/openclaw/withings. There are no instructions to read unrelated system files or send data to third-party endpoints.
- Install Mechanism
- okThere is no install spec and all code is bundled as local scripts (no external downloads or package installs). That minimizes installation risk; nothing is written to disk by an installer beyond the token file the scripts themselves create when run.
- Credentials
- noteThe required secrets (client_id, client_secret, redirect_uri) are appropriate and necessary for OAuth. The skill stores tokens under ~/.config/openclaw/withings/token.json (with chmod attempt to 0o600). The notable issue: the registry metadata did not declare these required env vars — users should be aware the skill will need those secrets and will store a token file locally.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide configs. It persists OAuth tokens only to a user-scoped config path, which is normal for an OAuth client; treat the token file as a sensitive secret.