ClawHub
Back to skill
v1.0.0

Health Check

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:39 AM.

Analysis

This appears to be a simple local health logger that writes sleep and water records to a JSON file, with some minor notes about Node command use, persistent health data, and packaging metadata consistency.

GuidanceThis skill looks safe for its stated purpose if you are comfortable storing water and sleep records locally. Before installing, note that it relies on Node.js command snippets, writes a persistent health-data.json file, and should only be used with validated numeric inputs and deliberate update/delete requests.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
d.water.push({time:new Date().toISOString(),cups:CUPS});fs.writeFileSync(f,JSON.stringify(d)); ... Replace `CUPS` with number from user input.

The skill places a user-derived value into a local Node command and writes the result to disk. This is consistent with the health-tracking purpose, but the value should be treated strictly as a number.

User impactThe agent can create or modify the local health log when triggered; malformed or unintended values could result in bad records.
RecommendationOnly substitute validated numeric cup counts, and treat update/delete actions as deliberate user-directed changes.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
_meta.json
"ownerId": "kn7129pr4xtrwpbxszgx6bmfjx80a9pz", "slug": "healthcheck", "version": "1.0.2"

The packaged metadata differs from the registry metadata shown for this evaluation, and the registry declares no required binaries even though the skill uses Node commands. This is a consistency/provenance note rather than evidence of hidden behavior.

User impactUsers may have less clarity about the exact package identity, version, and runtime requirement.
RecommendationAlign registry and package metadata, and declare Node.js as a required runtime if these command snippets are expected to be used.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
File: `{baseDir}/health-data.json` ... "water": [{"time": "ISO8601", "cups": 2}], "sleep": [{"time": "ISO8601", "action": "sleep|wake"}]

The skill persistently stores water and sleep records in a local JSON file. This is disclosed and central to the purpose, but it is still personal health-related data.

User impactAnyone or any agent with access to that local file could read, alter, or delete the user's sleep and water history.
RecommendationKeep the base directory private, back up or delete the file as desired, and avoid placing it in shared or synced folders unless that is intentional.