ClawHealth Data Skill
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this token and customer ID could request the user's ClawHealth reports until the token is deleted or revoked in the app.
The skill requires a delegated bearer token that grants access to the user's ClawHealth API data. This is disclosed and purpose-aligned, but it is still sensitive account authority.
Agent API token: long-lived token created in the ClawHealth iOS app. The app shows it once. Store and use it as `Authorization: Bearer <token>`.
Only use a token created for this purpose, keep it out of ordinary chat when possible, and revoke it in the ClawHealth app if you stop using the skill or suspect exposure.
Stored credentials and identifiers may allow future health-data access without the user re-entering them each time.
The skill explicitly asks the agent to retain and reuse a customer identifier and long-lived credential. This supports convenience but creates persistent sensitive context.
After setup, keep using the stored `customer_id` and Agent API token.
Use secure credential storage if available, avoid pasting tokens into shared chats, and clear stored credentials or revoke the token when no longer needed.
Incorrect or unintended profile updates could affect calorie, macro, readiness, or supplement recommendations.
The skill can write profile data to the ClawHealth API. The trigger is user-provided profile information and the endpoint is scoped, so this is purpose-aligned rather than suspicious.
Use when the user gives age, sex, height, weight, goal, or activity level... POST /api/clawhealth/profile
Confirm profile changes before saving them, especially weight, goals, activity level, or other details that influence health recommendations.