Skillv1.0.8

ClawScan security

Health Data AI Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 26, 2026, 11:48 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent: it only instructs the agent to read a read-only localhost API on macOS, requests no credentials or installs, and includes explicit rules against exfiltration — however the skill and its referenced Mac app come from an unknown source, so verify the app before use.
Guidance: This skill appears to do what it claims and asks for nothing unnecessary, but exercise caution before use: 1) Confirm the Health Data AI Analyzer Mac app (homepage clawhub.ai) is trustworthy and actually running on your Mac before allowing any data access. 2) Prefer letting the agent fetch the minimal localhost endpoint itself only while the app is running — if asked to paste a curl response, do not paste more data than requested (avoid full exports with persistent identifiers or unrelated PHI). 3) The skill forbids sending data externally, but that is an instruction the agent follows; it cannot be cryptographically enforced — if you have high-sensitivity medical data, verify the app’s provenance and consider not pasting raw exports. 4) Because the skill and app are from an unknown source, consider inspecting the Mac app or limiting its network access (e.g., firewall) before use. If you want higher assurance, ask the publisher for source or binaries you can audit before trusting sensitive health data.

Purpose & Capability: okName/description match the instructions: the skill is explicitly for generating Apple Health briefs from a macOS app's read-only localhost API. It requests no unrelated binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md narrowly instructs the agent to read only specific localhost endpoints and forbids sending health data externally. It also instructs the agent to ask for one exact curl response if the local fetch is unavailable — this is reasonable but means the user may be asked to paste potentially sensitive JSON. The guidance is precise (not open-ended), but there's a user-data exposure risk when the user supplies JSON.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is low-risk because nothing is written to disk or downloaded by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. All declared requirements are proportional to the stated purpose (local API reads).
Persistence & Privilege: okalways:false and the registry policy sets allow_implicit_invocation:false, so the skill cannot be force-enabled or implicitly invoked. It does not request system-wide privileges or modify other skills.