OpenClaw Health Brief

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate health-summary skill, but it needs review because it handles long-lived health account tokens and the main credential-handling scripts described in the docs are missing from the package.

Review before installing. Ask the publisher to include the missing bin/ scripts, inspect the reauthorization flow before entering provider credentials, use a dedicated least-privilege 1Password vault or scoped environment, avoid sourcing broad secrets files in cron jobs, avoid writing health JSON to shared temp paths, and periodically clean up or revoke stored tokens.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill clearly requires environment access, file read/write, network access, and shell execution, yet no permissions are declared. This weakens user consent and security review because a user may authorize a seemingly simple reporting skill without realizing it can access secrets, persist tokens, and execute commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The description understates several sensitive behaviors, especially token storage/rotation, 1Password interaction, and local persistence of health-provider credentials. When a skill's documented purpose does not fully match its operational behavior, users and reviewers may expose secrets or approve automation without understanding the true data-handling and credential-management risks.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The file adds generalized 1Password secret retrieval and writeback capability to a skill whose stated purpose is generating a health brief, which is broader than necessary and increases the skill's access to sensitive credentials. In an agent setting, this expands the blast radius: if other parts of the skill are prompt-influenced or misused, the helper can be leveraged to read or overwrite secrets unrelated to the health brief workflow.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly instructs users to automatically persist OAuth tokens and write health output files locally, but it does not clearly warn that both credentials and sensitive health data will remain on disk. In this skill context, the data includes refresh tokens and personal biometric information, so compromise of the host, backups, temp directories, or multi-user environments could expose both account access and private health information.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The setup text says tokens are saved automatically to ~/.openclaw/secrets/health_tokens.json, but it does not present this as a clear security warning or explain the sensitivity of those tokens. Persisting long-lived OAuth and refresh tokens to local storage increases the risk of credential theft from disk, backups, or overly permissive file permissions.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The CLI supports `--debug-raw`, and when enabled it includes raw WHOOP API responses in the payload that is printed to stdout. Those responses may contain sensitive health data and potentially metadata that should not be exposed in logs, terminals, shell history capture, CI output, or agent transcripts; there is no strong warning, redaction, or access control around this behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation states that connectors make live API calls by default whenever credentials are available, but it does not clearly warn users that personal health data and authentication material may be transmitted to third-party services. In a health-aggregation skill, this can lead to users unintentionally sending sensitive biometric data off-host, especially when they expect a local CLI with fallback behavior.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation states that the tool writes a local `daily_health.json` file derived from Oura, Whoop, and Withings data, but it does not warn users that this output may contain sensitive health information. This can lead to accidental exposure through shared directories, backups, version control, or other local processes because users may not realize protected health-related data is being persisted.

Credential Access

High

Category: Privilege Escalation
Content: --tz "America/New_York" \ --session-target isolated \ --message 'Run the health brief: source ~/.openclaw/secrets/gateway.env export OPENCLAW_1P_VAULT=YourVault ./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "/tmp/daily_health_$(date +%F).json" Read the JSON output. Report only non-null metrics with a Green/Yellow/Red rating.'
Confidence: 91% confidence
Finding: .env

Session Persistence

Medium

Category: Rogue Agent
Content: export OPENCLAW_1P_VAULT="YourVault" # your vault name ``` Create items in your vault (see `docs/1PASSWORD_CONVENTIONS.md` for field details): - `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Oura` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Withings` → `client_id`, `client_secret`, `access_token`, `refresh_token`, `user_id`
Confidence: 86% confidence
Finding: Create items in your vault (see `docs/1PASSWORD_CONVENTIONS.md` for field details): - `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Oura` → `client_id`, `client

Session Persistence

Medium

Category: Rogue Agent
Content: export OPENCLAW_1P_VAULT="Assistant" # or your vault name ``` Create items in your vault with these titles and fields: - `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Oura` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Withings` → `client_id`, `client_secret`, `access_token`, `refresh_token`, `user_id`
Confidence: 82% confidence
Finding: Create items in your vault with these titles and fields: - `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Oura` → `client_id`, `client_secret`, `token`, `refresh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal