Back to skill
Skillv0.8.1
ClawScan security
Apple Health Sync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 10:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, install steps, and runtime instructions are coherent with its stated purpose (end-to-end encrypted Apple Health sync) and request only proportional resources; it does communicate with app-owned Supabase endpoints and stores local key material, so only install if you trust the service owner.
- Guidance
- This skill appears internally consistent for syncing encrypted Apple Health data: it creates local key material, talks to app-owned Supabase functions, and decrypts data locally. Before installing, confirm you trust the service operator (https://gethealthsync.app/ and the supabase domain in config.py). Note the skill will create files and private keys under ~/.apple-health-sync; treat those files as sensitive (do not share them). If you need stronger isolation, run the skill in a dedicated user account or container. Review the hardcoded Supabase URLs and publishable key (present in scripts/config.py) and ensure they match the official project; if you plan to uninstall, securely delete the state directory to remove stored keys and data. If you have low confidence in the project's trustworthiness, do not install or consider auditing the Supabase endpoints and server-side functions before use.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: scripts generate local keys, render an onboarding payload/QR, call app-owned Supabase function endpoints to fetch encrypted blobs, decrypt locally, sanitize and persist snapshots, and produce summaries. Required binaries (openssl) and Python cryptography are appropriate for the cryptographic operations performed.
- Instruction Scope
- okSKILL.md and scripts instruct the agent to run onboarding, fetch, unlink and summary scripts and to use a single state directory under ~/.apple-health-sync. Network calls are limited to the app-owned Supabase function endpoints declared in config.py; the agent is not instructed to read unrelated system files or environment variables.
- Install Mechanism
- okInstall spec only installs openssl via Homebrew and requires the Python 'cryptography' package. Both are proportionate to the cryptographic operations. No arbitrary downloads or obscure install URLs are used.
- Credentials
- noteThe skill does not request user secrets or environment variables, which is appropriate. However the code embeds app-owned Supabase function URLs and a publishable key in APP_CONFIG; the skill will communicate with those external endpoints (fetch/QR/unlink) and relies on local private keys for decryption/signing. This is expected for the stated purpose but means you must trust the service operator.
- Persistence & Privilege
- okThe skill stores state and private keys under ~/.apple-health-sync (config/secrets). It does not request always:true or attempt to modify other skills or system-wide agent settings. Creating local files and keys is necessary for its function.