Back to skill

Security audit

OpenClaw Health

Security checks across malware telemetry and agentic risk

Overview

This health-brief skill appears purpose-aligned, but it handles health data and long-lived OAuth credentials in ways users should review carefully before installing.

Install only if you are comfortable granting access to health-provider OAuth tokens and sensitive health metrics. Prefer a dedicated 1Password vault or service account limited to the three OpenClaw health items, avoid sourcing broad secrets files in cron jobs, store output outside shared or temporary paths, check permissions on the local token file, and revoke provider tokens if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs use of environment variables, local file persistence, shell commands, and networked OAuth flows, yet no explicit permissions are declared. This creates a transparency and containment problem: operators may approve or run the skill without understanding it can read secrets, write token files, and invoke external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The stated purpose understates several sensitive behaviors, including 1Password secret read/write, local token writeback, and collection of additional health data categories. This mismatch can mislead users about the true data access and storage footprint, undermining informed consent for highly sensitive health and credential data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The refresh flow obtains a new access token and may detect refresh-token rotation, but it never persists the refreshed credentials back to secure storage. This can break re-auth reliability, cause repeated authentication failures, and leave the connector operating with stale credentials despite claiming local token persistence intent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code implements secret writeback to 1Password even though the skill description emphasizes local token persistence, creating a capability/behavior mismatch. Hidden or under-documented secret mutation is dangerous because it expands the trust boundary, can overwrite credential material unexpectedly, and may persist rotated tokens into a broader secret store than users anticipated.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Subprocess-based 1Password CLI integration adds credential-management and secret-modification capability that is not clearly necessary for generating a health brief. In this skill context, that extra access is more suspicious because a health-summary workflow should not need to edit external password-manager items, increasing the blast radius if the skill is misused or compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to persist OAuth tokens and generated health output locally, including under predictable filesystem paths, but does not prominently warn that these artifacts contain sensitive authentication material and personal health data. In a health-data skill, local persistence increases exposure to compromise from other local users, backups, misconfigured permissions, or accidental sharing of files such as /tmp outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation says tokens are saved automatically to ~/.openclaw/secrets/health_tokens.json, but does not prominently warn about the security implications of persisting OAuth tokens for health services on disk. Local token storage increases exposure to other local users, backups, misconfigured permissions, or downstream tooling that may read sensitive files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI exposes a `--debug-raw` mode that causes raw WHOOP API responses to be included in output, which can contain sensitive health metrics and possibly identifiers. Because the data is printed directly to stdout without masking or a strong warning, it can be captured in terminal history, logs, CI output, or shared transcripts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation states that connectors perform live API calls by default, but it does not prominently warn users that executing the skill may trigger outbound network requests and transmit health-related data to third-party services. Because this skill processes sensitive wellness information, silent default network activity increases privacy and consent risk, especially in local or test environments where users may expect non-networked behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation explicitly states that the tool writes `daily_health.json` while handling highly sensitive personal health data from Oura, Whoop, and Withings, but it provides no warning about secure storage, file permissions, retention, or sharing risks. This omission can lead users to persist regulated or highly private data in insecure locations, increasing the chance of accidental disclosure through backups, repos, shared directories, or logs.

Credential Access

High
Category
Privilege Escalation
Content
--tz "America/New_York" \
  --session-target isolated \
  --message 'Run the health brief:
source ~/.openclaw/secrets/gateway.env
export OPENCLAW_1P_VAULT=YourVault
./bin/health-brief --date "$(date +%F)" --sources whoop,oura,withings --out "/tmp/daily_health_$(date +%F).json"
Read the JSON output. Report only non-null metrics with a Green/Yellow/Red rating.'
Confidence
93% confidence
Finding
.env

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.