ClawHub

OpenClaw Health

Security checks across malware telemetry and agentic risk

Overview

This health-summary skill appears purpose-aligned, but it handles sensitive health data and durable OAuth credentials with enough persistence and secret-manager write authority that users should review it carefully before installing.

Install only if you are comfortable granting this skill access to health-provider OAuth tokens and sensitive biometric data. Use a dedicated 1Password vault/items if possible, avoid sourcing broad secrets files in automated agent sessions, check permissions on ~/.openclaw/secrets/health_tokens.json, and revoke provider tokens if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes environment access, file reads/writes, network access, and shell commands but does not declare those capabilities. That creates a transparency and review gap: users may authorize or run the skill without understanding it handles secrets, persists tokens locally, and performs external API/OAuth operations. In a health-data workflow, undeclared capabilities increase the chance of accidental overtrust and unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose understates materially sensitive behavior: the skill persists refreshed tokens, may write back to 1Password, and processes additional health/body metrics beyond a simple morning summary. This mismatch can mislead users and reviewers about the real data handling and privilege level, causing them to run a more sensitive workflow than intended. Because the data includes health information and long-lived tokens, incomplete disclosure is security-relevant.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The connector fetches and exposes blood pressure values (`meastypes` 10 and 11) and returns them in `withings_extra.bp`, even though the stated skill purpose is a daily health brief focused on Oura/Whoop/Withings morning summary data. This is a data minimization and scope-expansion issue: sensitive medical data is collected and surfaced without clear necessity, increasing privacy risk if the payload is logged, displayed, or reused elsewhere.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code automatically persists rotated refresh tokens to both local storage and 1Password via `set_local_secret` and `set_secret`. While token rotation itself is legitimate, silently writing long-lived credentials expands the connector's capabilities beyond simple read-only briefing and creates persistence risk if the host is shared, compromised, or the user did not expect secret mutation.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The file adds generic 1Password secret retrieval and writeback capabilities to a skill whose declared purpose is producing a daily health brief. That broader capability expands the attack surface: if the skill or its dependencies are abused, it could read or modify unrelated secrets available to the configured 1Password account, which is more powerful than users would reasonably expect from the stated functionality.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest advertises local token persistence, but the implementation reaches out to 1Password for both secret retrieval and remote writeback. This mismatch is security-relevant because it can defeat user expectations, alter the trust model, and cause secrets to leave local storage boundaries for an external secret-management system without clear disclosure.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README instructs users to automatically persist OAuth tokens and deliver health summaries through automation, but it does not clearly warn that both tokens and sensitive health data may be stored, transmitted, or exposed through logs and downstream channels. In a health-data context, this increases privacy and compliance risk because users may unknowingly send personal medical-style information to third-party messaging services or shared systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup text states that tokens are automatically saved to ~/.openclaw/secrets/health_tokens.json, but it does not present this as a sensitive security warning or explain the risks of local secret persistence. Users may unknowingly leave bearer and refresh tokens on disk where other local processes, backups, or misconfigured permissions could expose them. Given these tokens can enable ongoing API access to health data, the omission is security-significant.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The connector writes a newly rotated refresh token into local and secret storage without any visible confirmation, consent check, or policy guard. Even if operationally convenient, silently persisting authentication material increases the chance of unintended credential retention and broadens the blast radius if the environment or local secret store is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that connectors make live API calls by default and may source credentials from 1Password or environment variables, but it does not prominently warn users that running the skill can trigger outbound network access using locally available secrets. In an agent-skill context, this raises the risk of unexpected credential use, privacy exposure, and unintended transmission of sensitive health data to third-party services.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation states that the tool writes `daily_health.json` and can write to a user-specified output path, but it does not clearly warn users that sensitive health data will be persisted to disk. Because the output may contain biometric and wellness information from Oura, Whoop, and Withings, silent local storage increases privacy risk through unintended retention, backup syncing, or exposure to other local users/processes.

Credential Access

High
Category
Privilege Escalation
Content
--tz "America/New_York" \
  --session-target isolated \
  --message 'Run the health brief:
source ~/.openclaw/secrets/gateway.env
export OPENCLAW_1P_VAULT=YourVault
./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "/tmp/daily_health_$(date +%F).json"
Read the JSON output. Report only non-null metrics with a Green/Yellow/Red rating.'
Confidence
91% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
export OPENCLAW_1P_VAULT="Assistant"  # or your vault name
```

Create items in your vault with these titles and fields:
- `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token`
- `OpenClaw Oura` → `client_id`, `client_secret`, `token`, `refresh_token`
- `OpenClaw Withings` → `client_id`, `client_secret`, `access_token`, `refresh_token`, `user_id`
Confidence
86% confidence
Finding
Create items in your vault with these titles and fields: - `OpenClaw Whoop` → `client_id`, `client_secret`, `token`, `refresh_token` - `OpenClaw Oura` → `client_id`, `client_secret`, `token`, `refresh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal