OpenClaw Health Brief
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-health-brief Version: 1.0.0 This skill bundle is classified as benign. While it involves high-risk capabilities such as reading and writing sensitive OAuth tokens to 1Password (via `op` CLI) and a local file (`~/.openclaw/secrets/health_tokens.json`), and making network requests to external APIs (Oura, Whoop, Withings), these actions are explicitly stated in `SKILL.md` and `README.md`, are necessary for the skill's core functionality (fetching health data and persisting tokens for rotation), and are implemented with security considerations (e.g., opt-in 1Password writeback, `chmod 0o600` for local files). The prompt injection instructions in `SKILL.md` and `README.md` for the AI agent are functional, directing it to process and summarize the skill's output, without any evidence of malicious intent or attempts to manipulate the agent beyond its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail as packaged, or a user may be pushed toward running credential-handling code that was not present in the reviewed artifacts.
The setup depends on ./bin/health-reauth and ./bin/health-brief, but the provided file manifest contains no bin/ files. Those missing entrypoints are central to OAuth re-auth, token persistence, and daily execution.
python3 ./bin/health-reauth all ... ./bin/health-brief --date "$(date +%F)"
Do not run the re-auth or cron workflow until the package includes the referenced bin scripts and their provenance and behavior can be reviewed.
Installing and using the skill gives the workflow access to health-service credentials and potentially a 1Password vault selected by the user.
The skill asks for 1Password access and provider OAuth tokens. This is expected for a health-provider integration, but it is sensitive account access and is not reflected in the registry credential/env-var declarations.
export OP_SERVICE_ACCOUNT_TOKEN="your-token" ... WHOOP_ACCESS_TOKEN ... OURA_PERSONAL_ACCESS_TOKEN ... WITHINGS_REFRESH_TOKEN
Use a dedicated, least-privilege 1Password vault/service account and only provide tokens for providers you actually want included.
A refreshed OAuth token could be visible locally while the 1Password edit command is running.
When OPENCLAW_1P_WRITEBACK=1 is enabled, the rotated secret value is embedded directly in the 1Password CLI command arguments, which can expose secrets to local process inspection on some systems.
cmd = ["op", "item", "edit", item_title, f"{field_name}={value}"]Avoid enabling 1Password writeback unless you understand the local exposure risk; prefer safer secret-update mechanisms that do not place token values in process arguments.
If enabled, the agent will automatically fetch and summarize health data every morning.
The skill documents a persistent daily OpenClaw cron job that runs an agent session, executes the brief, reads the output, and reports a summary. This is disclosed and purpose-aligned, but it is ongoing automation.
openclaw cron add --name "morning-health-brief" --schedule "0 8 * * *" --session-target isolated
Only add the cron job if you want ongoing automation, verify the delivery channel is private, and remove the cron job if you no longer want automatic health summaries.
Daily sleep, readiness, activity, weight, and related metrics may remain on disk and may be sent through the configured reporting channel.
The workflow writes health metrics to a local JSON file and has an agent read and summarize it. This is part of the intended workflow, but the file contains sensitive health context.
--out "/tmp/daily_health_$(date +%F).json"\nRead the JSON output. Report only non-null metrics
Store outputs in a private location, clean up old files, and be careful about where the summary is delivered.