Back to skill
Skillv1.0.0
ClawScan security
Health Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 10:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and runtime instructions are consistent with a local CLI health-management tool; nothing in the bundle demands unrelated credentials or surprising network endpoints, but you should still inspect dependencies and installation scripts before running npm install.
- Guidance
- This package appears to be a local CLI health manager and is generally coherent with its description, but take these precautions before installing/running it: (1) Inspect package.json for postinstall scripts or unusual lifecycle scripts; (2) Review dependencies for native modules or large packages (e.g., puppeteer which downloads Chromium) and be prepared for extra disk/network activity; (3) If you enable Apple Health/Google Fit/Wearable integrations, expect OAuth flows and Bluetooth/device permissions — only grant those when you understand the endpoint and privacy implications; (4) Verify where data is stored (~/.config/health-manager/health.db or ~/.health-manager/) and whether you want it encrypted/backed up; (5) If you are unsure, run npm install and the CLI in a sandboxed or disposable environment first and audit outgoing network connections while exercising sync features.
Review Dimensions
- Purpose & Capability
- okName/description (health data manager) match the included code, CLI, DB schema, reports, and docs. Requested resources (none) and declared functionality (SQLite, CLI, device/Apple Health integrations) are coherent with the stated purpose.
- Instruction Scope
- noteSKILL.md gives standard local usage (npm install, build, CLI commands) and identifies the local DB path (~/.config/health-manager/health.db). Instructions do not direct the agent to read unrelated system secrets or exfiltrate data, but the project design explicitly describes optional integrations (Apple Health, Google Fit, BLE devices) which — if enabled — will request platform permissions or OAuth flows; those integrations are expected but require explicit user consent.
- Install Mechanism
- noteRegistry metadata shows no install spec, but SKILL.md and repository include code and explicit npm install/build steps. No remote download URLs or obscure installers were found in the provided files. Installing runs normal npm flow (inspect package.json and any lifecycle scripts first).
- Credentials
- okThe skill does not declare or require environment variables or external credentials in metadata. Design docs mention optional OAuth/device integrations — those would legitimately require credentials if you enable them, but nothing in the package silently asks for unrelated secrets.
- Persistence & Privilege
- okSkill is not forced-always, and it does not request system-wide configuration changes in the provided materials. It stores user data locally by default; this is expected for a personal health manager.