Back to skill
Skillv1.0.0
ClawScan security
Apple Health CSV · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 11:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its purpose — it parses local Apple Health CSV exports and does not request credentials or network access — but there is a small documentation vs code mismatch to be aware of.
- Guidance
- This skill appears to do what it says: it reads Apple Health CSV exports from a local folder and produces summaries, with no network calls or secret requirements. Before installing: (1) Confirm where your CSVs must live — SKILL.md mentions ~/.openclaw/workspace-butler/health-data/ but the script defaults to a relative ../health-data; you can set HEALTH_DATA_DIR to point to your files. (2) Review the included scripts yourself (they are local Python code) if you want to be sure they only access the CSV folder. (3) Run the tool on a test CSV set first to confirm output and that it reads the intended files. If you need the agent to operate autonomously, remember this skill can be invoked by the agent but it does not request any special privileges or credentials.
Review Dimensions
- Purpose & Capability
- noteName/description match the actual behavior: the code reads Apple Health CSV exports and computes summaries for many metrics. The SKILL.md says a default data directory of ~/.openclaw/workspace-butler/health-data/, but the script's DATA_DIR default is a relative ../health-data path (or set by HEALTH_DATA_DIR). This doc-vs-code mismatch could cause confusion for less technical users.
- Instruction Scope
- okRuntime instructions and the script keep operations local: reading CSV files from the stated data directory, parsing, grouping, and printing or emitting JSON. The instructions do not ask the agent to read arbitrary system files or transmit data externally.
- Install Mechanism
- okNo install spec is present (instruction-only). The skill ships with a Python script and tests; nothing is downloaded or installed automatically, which minimizes install-time risk.
- Credentials
- noteThe SKILL.md documents an optional HEALTH_DATA_DIR env var and the code honors an env var, so environment access is minimal and proportional. There are no required credentials or secrets. Note again the default path mismatch between docs and code.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide configuration.