HealthKit Sync
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the example commands can create files containing private health data.
The skill gives user-directed CLI examples that can export health data to a local file; this is expected for the sync purpose but the output is sensitive.
healthsync fetch --start 2026-01-01T00:00:00Z --end 2026-12-31T23:59:59Z \ --types steps > steps.csv
Run fetch commands only for the date ranges and data types you need, and store or share exported CSV/JSON files carefully.
A paired Mac may continue to access permitted HealthKit data until the token is removed or expires according to the underlying app behavior.
The pairing workflow creates a bearer token for future access to the paired iOS device; the storage location is disclosed and purpose-aligned.
Token stored in macOS Keychain under service `org.mvneves.healthsync.cli`.
Pair only trusted devices, keep the Mac account protected, and remove the HealthSync config/Keychain item if you no longer want the pairing.
Users cannot verify the referenced project or CLI source directly from the registry metadata.
The skill package is instruction-only and does not install code, but the registry metadata does not provide provenance for the skill or the external CLI it documents.
Source: unknown Homepage: none
Install or run the healthsync CLI only from a source you trust, and confirm it matches the documented security behavior.
Private health samples may move from the phone into terminal output or files on the Mac.
The documented workflow transfers HealthKit samples from the iOS app to the macOS CLI over a device-to-device channel; the same artifacts describe TLS, certificate pinning, and local-network limits.
Health Data Fetch ... POST /health/data ... Query HealthKit ... Return samples ... Format as CSV/JSON
Use trusted local networks, verify pairing prompts, and avoid sending exported health data to chats, logs, or shared folders unless intended.