withings-health
v1.0.1Fetches health data from the Withings API including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use this skill when the user asks about their Withings data, weight history, body metrics, daily steps, sleep quality, or any health measurement from Withings devices.
⭐ 4· 2.5k·7 current·7 all-time
by@hisxo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Withings health data) align with required binaries (node) and required env vars (WITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET). The commands in SKILL.md map to a local wrapper.js that would reasonably implement OAuth and API calls to Withings.
Instruction Scope
SKILL.md confines runtime actions to running wrapper.js for auth and data retrieval and explains the OAuth flow and expected outputs. It does not instruct reading unrelated files or asking for unrelated credentials. It suggests creating a local .env file and using localhost callback URL for OAuth, which is typical for developer apps.
Install Mechanism
There is no install spec (instruction-only) and the skill includes a local wrapper.js file; no external downloads or package installs are requested. Risk is limited to executing the provided JavaScript locally (node), so review of that file is recommended.
Credentials
Only WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET are required, which is proportionate for a Withings integration. The SKILL.md does not request unrelated secrets or multiple unrelated credentials. It does note token refresh behavior but does not specify where tokens are persisted — that should be verified in wrapper.js.
Persistence & Privilege
The skill is not marked always:true and has no OS restrictions. disable-model-invocation is not set (default model-invocable), which is normal for user-invoked integration skills. Confirm where and how tokens are stored (disk vs ephemeral) because persistent token storage could allow later access unless managed carefully.
Assessment
This skill appears coherent for accessing Withings data: it needs your Withings client ID and secret and runs a local node script to perform OAuth and fetch metrics. Before installing or running it: 1) Inspect wrapper.js to confirm it only performs Withings API calls and to see where OAuth tokens are saved (disk location, permissions, encryption). 2) Keep your WITHINGS_CLIENT_SECRET private and do not commit a .env to version control. 3) Use the localhost OAuth callback as described and verify the app on Withings is configured correctly. 4) If you plan to let the AI model invoke skills autonomously, be aware the skill can use stored tokens to access your Withings data later — only proceed if you trust the code and token handling. If you are not comfortable reviewing the code, ask the publisher for a security summary of token storage and network destinations.Like a lobster shell, security has layers — review code before you run it.
latestvk97afrvty5h3m1c65kp1ecxpsx7zcc6w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚖️ Clawdis
Binsnode
EnvWITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET