HealthKit Sync
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: healthkit-sync Version: 1.0.0 The skill bundle is benign. All instructions and code snippets are directly related to the stated purpose of syncing iOS HealthKit data via the `healthsync` CLI, or for testing and debugging the skill itself. There is no evidence of intentional harmful behavior such as data exfiltration, malicious execution, persistence, or prompt injection against the agent. File system and process management commands (e.g., `ln -sf`, `pkill`, `cat`, `tail`) are used for local skill setup and diagnostics in `TESTING.md`, which is intended for human testers, not as instructions for the AI agent to execute maliciously. The `SKILL.md` provides clear, non-malicious guidance for the agent's use.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the example commands can create files containing private health data.
The skill gives user-directed CLI examples that can export health data to a local file; this is expected for the sync purpose but the output is sensitive.
healthsync fetch --start 2026-01-01T00:00:00Z --end 2026-12-31T23:59:59Z \ --types steps > steps.csv
Run fetch commands only for the date ranges and data types you need, and store or share exported CSV/JSON files carefully.
A paired Mac may continue to access permitted HealthKit data until the token is removed or expires according to the underlying app behavior.
The pairing workflow creates a bearer token for future access to the paired iOS device; the storage location is disclosed and purpose-aligned.
Token stored in macOS Keychain under service `org.mvneves.healthsync.cli`.
Pair only trusted devices, keep the Mac account protected, and remove the HealthSync config/Keychain item if you no longer want the pairing.
Users cannot verify the referenced project or CLI source directly from the registry metadata.
The skill package is instruction-only and does not install code, but the registry metadata does not provide provenance for the skill or the external CLI it documents.
Source: unknown Homepage: none
Install or run the healthsync CLI only from a source you trust, and confirm it matches the documented security behavior.
Private health samples may move from the phone into terminal output or files on the Mac.
The documented workflow transfers HealthKit samples from the iOS app to the macOS CLI over a device-to-device channel; the same artifacts describe TLS, certificate pinning, and local-network limits.
Health Data Fetch ... POST /health/data ... Query HealthKit ... Return samples ... Format as CSV/JSON
Use trusted local networks, verify pairing prompts, and avoid sending exported health data to chats, logs, or shared folders unless intended.