Health Manager
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned local health-tracking skill, but users should treat the stored health and medication data as sensitive and review the npm-based install before use.
Before installing, make sure you are comfortable storing health and medication records locally, protect generated reports/backups, and review the npm package because the source is unknown. Treat any health analysis as informational rather than medical advice, and be cautious if you later enable third-party health-account integrations.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the database, exported files, backups, or reports could see sensitive health and medication information.
The skill persistently stores health metrics, medication records, and notes in a local database.
SQLite 数据库存储 ... 血压记录表(收缩压、舒张压、心率、时间、备注) ... 用药记录表(药物、剂量、时间) ... 默认位置:`~/.config/health-manager/health.db`
Use it only on trusted devices, protect the database and report files, avoid placing exports in shared folders, and treat imported notes as data rather than instructions.
Installing and building a Node package can execute dependency or package scripts on the local machine, even though this is expected for a CLI-based skill.
The documented setup asks the user to install Node dependencies and run a build step locally.
cd ~/.openclaw/workspace/skills/health-manager npm install npm run build
Review package.json/package-lock and install only from a trusted copy, especially because the registry source is listed as unknown.
If these integrations are used, the skill could access health data from third-party accounts or services.
The broader documentation describes an optional OAuth-based health-data integration, which would involve delegated access to an external health account if enabled.
- **Google Fit**: OAuth 认证,数据同步
Only authorize integrations you intend to use, grant the minimum available scope, and verify where imported data is stored before syncing.
Reminder settings may continue to exist across sessions and can reveal health routines or medication schedules.
The skill supports persistent reminder configuration, but the documented commands show user-created reminders and user controls to toggle them.
用药提醒配置 ... 血压监测提醒 ... 运动提醒 ... health reminder add medication "08:00" --message "该吃药了" ... health reminder toggle 1
Review active reminders periodically and disable or delete reminders you no longer want.