ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Samsung Health

v1.0.1

Analyze Samsung Health Connect data synced to Google Drive. Use for health tracking queries like sleep analysis, step counting, heart rate monitoring, SpO2 b...

0· 645·0 current·0 all-time
by@mudgesbot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the required pieces: it needs access to Google Drive exports and a local CLI to parse Health Connect data. Declared required binaries (gog, python3) align with downloading from Drive and running a Python CLI.
Instruction Scope
SKILL.md stays on-topic: it instructs how to clone the repo, create a venv, configure a per-user ~/.config/samsung-health/config.yaml, and run the shealth CLI. It does not ask the agent to read unrelated system files or export data to unexpected endpoints. The one scope-expanding step is the instruction to fetch and install external code (see install_mechanism).
Install Mechanism
No packaged install spec in the registry, but SKILL.md directs git clone from https://github.com/mudgesbot/samsung-health-skill and pip install -e . GitHub is a common host, but cloning and installing arbitrary repository code executes remote code locally (setup/install hooks). Users/agents should review the repository before running the install commands and prefer an isolated environment.
Credentials
The skill requests no environment variables and only requires gog and python3. The config file asks for a Google Drive folder_id and account (expected for Drive access). No unrelated credentials or broad environment access are requested by the skill itself.
Persistence & Privilege
always:false and the skill asks to create its own config under ~/.config/samsung-health (normal). Be aware that an autonomous agent invocation could perform the git clone/pip install steps if permitted — this is a standard platform behavior but increases risk if you do not trust the repository.
Scan Findings in Context
[no_regex_findings] expected: The scanner found nothing because the skill package contains only SKILL.md (instruction-only). SKILL.md itself includes a git clone command; that external repository was not scanned.
Assessment
This skill appears to do what it says, but it fetches and installs code from a third‑party GitHub repository. Before installing or letting an agent run it automatically: (1) manually review the repo (README, setup.py/pyproject, and any install scripts) to ensure there are no malicious install hooks; (2) run the install inside an isolated environment (container or dedicated VM) and not on a sensitive host; (3) ensure the gog CLI is configured with a Google account you are willing to grant Drive access to (use the least-privilege account possible); (4) if you don't trust the repo, decline automatic installation and ask the skill author for a signed release or a vetted package instead.

Like a lobster shell, security has layers — review code before you run it.

fitnessvk975pt4nr0xpcee3bx3exxgrn581gkt2healthvk975pt4nr0xpcee3bx3exxgrn581gkt2heart-ratevk975pt4nr0xpcee3bx3exxgrn581gkt2latestvk975pt4nr0xpcee3bx3exxgrn581gkt2samsungvk975pt4nr0xpcee3bx3exxgrn581gkt2sleepvk975pt4nr0xpcee3bx3exxgrn581gkt2spo2vk975pt4nr0xpcee3bx3exxgrn581gkt2stepsvk975pt4nr0xpcee3bx3exxgrn581gkt2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgog, python3

Comments