ClawHealth Data Skill
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: clawhealth-data-skill Version: 0.4.1 The clawhealth-data-skill bundle is a health data analysis tool designed to interface with the ClawHealth service at 'https://clawhealth.site'. It uses a user-provided API token and customer ID to fetch health reports, log nutrition/mood, and generate temporary visual panels. The instructions in SKILL.md are focused on providing a natural user experience, adhering to scientific references, and maintaining appropriate medical disclaimers. No evidence of malicious intent, unauthorized data exfiltration, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this token and customer ID could request the user's ClawHealth reports until the token is deleted or revoked in the app.
The skill requires a delegated bearer token that grants access to the user's ClawHealth API data. This is disclosed and purpose-aligned, but it is still sensitive account authority.
Agent API token: long-lived token created in the ClawHealth iOS app. The app shows it once. Store and use it as `Authorization: Bearer <token>`.
Only use a token created for this purpose, keep it out of ordinary chat when possible, and revoke it in the ClawHealth app if you stop using the skill or suspect exposure.
Stored credentials and identifiers may allow future health-data access without the user re-entering them each time.
The skill explicitly asks the agent to retain and reuse a customer identifier and long-lived credential. This supports convenience but creates persistent sensitive context.
After setup, keep using the stored `customer_id` and Agent API token.
Use secure credential storage if available, avoid pasting tokens into shared chats, and clear stored credentials or revoke the token when no longer needed.
Incorrect or unintended profile updates could affect calorie, macro, readiness, or supplement recommendations.
The skill can write profile data to the ClawHealth API. The trigger is user-provided profile information and the endpoint is scoped, so this is purpose-aligned rather than suspicious.
Use when the user gives age, sex, height, weight, goal, or activity level... POST /api/clawhealth/profile
Confirm profile changes before saving them, especially weight, goals, activity level, or other details that influence health recommendations.