Withings Family
v1.1.2Fetches health data from the Withings API for multiple family members including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use...
⭐ 1· 2.1k·2 current·2 all-time
byOliver Drobnik@odrobnik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description ask for Withings data and the package only requires python3 plus WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET. The scripts perform OAuth and call Withings endpoints (account.withings.com and wbsapi.withings.net), which is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running the included Python scripts and describes OAuth flows and token storage. The runtime instructions and the scripts' operations are narrowly scoped to authenticating and fetching Withings measurements; they only reference files under ~/.openclaw/withings-family (legacy ~/.moltbot/) and the declared env vars. No instructions ask the agent to read unrelated system files or transmit data to unknown endpoints.
Install Mechanism
No install spec — the skill is instruction + included scripts. Nothing is downloaded at install time and no external packages or arbitrary URLs are used. Risk from installation is low because code ships with the skill and no extraction from untrusted URLs occurs.
Credentials
Only two env vars are required: WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET. Those are the expected credentials for calling the Withings API. The scripts also optionally read a config.json from the skill directory under the user's home; this is proportional to storing credentials/config for the skill. No unrelated secrets or system credentials are requested.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills or global agent config, and only persists per-user token files under the user's home directory. It attempts to set restrictive permissions (0600) on token files. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.
Assessment
This skill appears to do exactly what it says: it needs your Withings developer Client ID/Secret and will store per-user OAuth tokens in ~/.openclaw/withings-family (legacy ~/.moltbot/withings-family). Before installing, consider: (1) only provide WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET if you trust the skill/source; (2) the scripts start a local callback server (localhost:18081) during OAuth — ensure that port is available and run the flow only on a trusted machine; (3) token files are written to your home directory and the code attempts to chmod them to 0600 — verify those files and revoke tokens in your Withings account if you stop using the skill; (4) the SKILL.md contains a minor doc mismatch (the oauth helper docstring mentions port 8080 but the script and README use 18081), which is non-malicious but worth noting; (5) because code is included in cleartext, you can and should review it yourself if you have concerns. Overall the requirements and behavior are proportionate to the skill's purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk97bqmqr988w3ztha4c8ep9mex826g27
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚖️ Clawdis
Binspython3
EnvWITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET