ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Health

v1.0.0

Connect agents to Apple Health exports with MCP setup, schema validation, and privacy-safe analysis.

1· 438·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Apple Health exports, MCP, schema validation, privacy-safe analysis) align with requested binaries (node, npx) and the single env var (HEALTH_DATA_DIR). No unrelated credentials or system-level paths are requested.
Instruction Scope
SKILL.md stays focused: validate a local export, verify Node LTS, wire an MCP server via npx, run schema discovery, then bounded queries. It explicitly forbids claiming live HealthKit access and warns not to upload CSVs by default. Instructions reference only the declared HEALTH_DATA_DIR and local memory files.
Install Mechanism
There is no bundled install spec, but the runtime uses npx to fetch and run @neiltron/apple-health-mcp from the public npm registry (and references GitHub raw pages and the App Store). These are well-known hosts, but running remote npm packages (npx) is a moderate supply-chain risk — expected for this skill's architecture but worth user attention.
Credentials
Only HEALTH_DATA_DIR is required and declared. Optional runtime envs in docs (MAX_MEMORY_MB, CACHE_SIZE) are reasonable for large local datasets. No unrelated tokens, secrets, or system credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation. Skill writes small local memory files under ~/apple-health/ (documented templates) which is appropriate for its purpose. It does not request elevated or cross-skill configuration changes.
Assessment
This skill appears coherent with its stated purpose, but it relies on a third-party npm package (@neiltron/apple-health-mcp) that npx will download and run locally. Before installing or running: (1) confirm you trust that npm package and its author (inspect the package source on GitHub or npm), (2) run it in a controlled environment or sandbox if you are cautious, (3) ensure HEALTH_DATA_DIR points to only the exports you want processed, and (4) be aware that ~/apple-health/ will store integration metadata (not raw CSVs unless you explicitly save them). If you want to reduce supply-chain risk, consider installing the MCP package from a vetted release (manual npm install from a pinned version) or using a validated fallback CLI noted in the documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk979jejfgtgkkqgv9r4fnb20vx821vqk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

❤️ Clawdis
OSmacOS · Linux · Windows
Binsnode, npx
EnvHEALTH_DATA_DIR

Comments