ClawHub

Health Auto Log

v1.0.0

Automatically detect and log health data (weight, blood sugar, exercise) to AX3 system. Use when user sends health measurements via WhatsApp or other messagi...

0· 324·1 current·1 all-time
by@klcintw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes recording to AX3 via 'mcporter', but the skill metadata lists no required binaries or config paths. The script actually invokes the external 'mcporter' binary and hard-codes a user-specific config file (/Users/klcintw/clawd/config/mcporter.json). Those dependencies are not declared and are not proportionate to the manifest.
!
Instruction Scope
Runtime instructions tell the agent to run the included script, which is fine, but the script will call an external tool and attempt to use a specific local config file. The SKILL.md mentions mcporter but does not disclose the hard-coded config path or the expectation that a local mcporter installation and user config exist. That hidden file access is out-of-band for what a user would expect.
Install Mechanism
There is no install spec (instruction-only + code file) so nothing is written during install. However the script relies on an external binary ('mcporter') being present on PATH; the skill metadata did not declare this required binary. No network/download install risk is present.
!
Credentials
The skill declares no required env vars or config paths, yet the script references a concrete config file path likely to contain credentials for mcporter/AX3. This is disproportionate: the code can read or rely on local credentials without declaring or requesting them explicitly.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or agent-wide settings.
What to consider before installing
This skill's behavior is plausible (auto-detect health metrics and call AX3), but the implementation is sloppy and potentially privacy-sensitive: it hard-codes a specific user's mcporter config path and invokes an external 'mcporter' binary that was not declared. Before installing or using it, ask the author to: (1) explain and remove the hard-coded path (make the config path or mcporter options configurable via env var or parameter), (2) declare 'mcporter' as a required binary and document what its config contains, (3) confirm whether mcporter.json contains secrets and whether those will be used/exposed, and (4) run the script in a safe sandbox to verify it doesn't read unexpected files. Do not install or give this skill access to production health data until these issues are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk971gme37v5b49hm99k7qw1zvx81zm43

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments