Back to skill

Security audit

OpenClaw Health Brief

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate health-summary skill, but it needs Review because it handles long-lived health account tokens and the documented main CLI/reauth scripts are missing from the package.

Review before installing. Ask the publisher to include the missing bin scripts, inspect the reauthorization flow before entering provider credentials, use a dedicated least-privilege 1Password vault or narrowly scoped environment variables, avoid sourcing broad secrets files in cron jobs, and write health JSON to a private path instead of /tmp.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly uses sensitive capabilities including environment access, local file read/write, shell commands, and network access, yet it declares no permissions. That creates a transparency and review failure: users may install or schedule it without understanding that it can access secrets, persist OAuth tokens, and transmit health data to external providers.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior goes beyond a simple health brief by persisting rotated credentials, interacting with 1Password, storing tokens locally, exposing provider-specific data types, and supporting additional CLI/debug flows. This mismatch undermines informed consent and can cause users to authorize broader secret handling and data collection than they expect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that rotated OAuth tokens are automatically saved to both 1Password and a local file, but it does not clearly warn users that long-lived refresh tokens and potentially sensitive health output files will persist on disk. In a health-data skill, silent local persistence increases the chance of unintended exposure through backups, shared accounts, misconfigured file permissions, or compromised endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions state that tokens are saved automatically to 1Password and a local secrets file, but they do not present this as a clear security/privacy warning. Because OAuth tokens and generated health summaries are sensitive, failing to prominently warn users increases the risk of insecure local storage, accidental backup/sync exposure, and unintentional disclosure of personal health information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron example automates recurring generation and delivery of personal health summaries without prominently warning that sensitive health data will be processed and potentially written to /tmp or sent through downstream channels. Scheduled unattended execution increases exposure because users may forget it is running, outputs may accumulate, and delivery targets may be less secure than expected.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation states that connectors perform live API calls by default whenever credentials are present, but it does not clearly warn users that running the skill may transmit health-related data and metadata to third-party services. In a health aggregation skill, this default behavior increases the chance of unintended external requests in local or testing contexts, which can surprise users and expose sensitive usage patterns or personal data.

Credential Access

High
Category
Privilege Escalation
Content
--tz "America/New_York" \
  --session-target isolated \
  --message 'Run the health brief:
source ~/.openclaw/secrets/gateway.env
export OPENCLAW_1P_VAULT=YourVault
./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "/tmp/daily_health_$(date +%F).json"
Read the JSON output. Report only non-null metrics with a Green/Yellow/Red rating.'
Confidence
97% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.