Skillv1.0.0

ClawScan security

Apple Watch Health Sync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 4:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (sets up a local server to receive Apple Health exports), but several instructions ask the agent to read and transmit a locally-stored secret (.env.json) and to register a persistent, elevated background service — these behaviors are disproportionate or risky and should be handled carefully before installing.
Guidance: This skill appears to implement a legitimate local server for Health Auto Export, but it asks the agent to read and send local secret files and to register a persistent elevated service — both are risky. Before installing: 1) Review server.py, setup.py, and any templates yourself (don’t blindly run setup.py). 2) Do NOT forward the entire .env.json to anyone; instead copy only the API key value to your phone or paste it manually into the Health Auto Export header. 3) Avoid creating a scheduled task with 'Highest' run level—create a user-level service/task instead (least privilege). 4) Run pip installs inside a virtualenv, and inspect network access (the script downloads from GitHub). 5) Restrict access to the server with a strong API key and firewall rules (limit to your LAN or specific IP). 6) If you are unsure, run the server in an isolated VM or on a machine you can safely expose to your phone. If you want, I can: summarize the exact files this setup will create, show the API key line in .env.json so you can copy it manually, or display the server.py code for review.

Review Dimensions

Purpose & Capability: okThe name/description (Apple Watch health sync via Health Auto Export) matches what the code and SKILL.md do: generate an API key, write a local Flask server (server.py), provide templates, and guide phone setup to POST health data to the PC. Requiring Python and creating local files is coherent with the stated purpose.
Instruction Scope: concernThe runtime instructions explicitly tell the agent to read .env.json (which contains the API key) and to 'SEND THE FILE TO USER' and to attach tutorial images from the skill directory. Asking an agent to read a local secret file and transmit it over the chat channel is risky and overly broad — the agent should only reveal the API key value to the user's device, not necessarily transmit internal files. The instructions also direct the agent to kill processes on port 3001 and manipulate system services; these are within scope for setup but are sensitive operations and should be done only with explicit user consent and minimal privilege.
Install Mechanism: noteThere is no packaged install spec (instruction-only), but setup.py may pip-install Flask and will download a GitHub zip as a fallback. Downloading from GitHub and installing Flask via pip is reasonable for this purpose, but note that setup.py writes new files (server.py, dashboard.html, templates, etc.) into the skill directory — review them before running. The upstream zip URL is a GitHub release path (not a random server), which reduces but does not eliminate risk.
Credentials: concernThe skill declares no required environment variables, which is fine, but it generates and stores an API key in .env.json and instructs the agent to read and transmit that file. Requiring the agent to disclose that local secret file is disproportionate; only the API key value (or instructing the user how to copy it manually) is necessary for phone setup. Also the setup writes persistent files in the skill directory (gitignored .env.json) which contain credentials — these should be treated as secrets.
Persistence & Privilege: concernThe SKILL.md requires the server to run independently and gives concrete instructions for registering persistent services. On Windows the provided Scheduled Task uses -RunLevel Highest (elevated) which is unnecessary for a user-level server and is excessive privilege. macOS launchd and the 'nohup' quick-start are less problematic, but the overall guidance promotes persistent background execution and process-killing which increases the attack surface if misused. The skill is not 'always: true', but persistence instructions are privileged and should be tightened.