Zen+ Health
PassAudited by ClawScan on May 1, 2026.
Overview
Zen+ Health is a read-only, instruction-only integration, but it can let OpenClaw view sensitive wellness/profile data through your Zen+ API key.
Before installing, confirm you trust the Zen+ Health integration and are comfortable letting OpenClaw read your wellness notifications, timeline, and profile data. Use the official HTTPS API base URL, keep the API key private, prefer a dedicated read-only key, and check OpenClaw logging/retention settings for sensitive wellness data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the base URL is misconfigured, the API key could be sent to the wrong endpoint; with the documented official URL, this is normal read-only API use.
The skill uses shell commands with curl to call a configured API endpoint and send the API key as a bearer token. This is expected for an instruction-only API integration, but the destination base URL must remain trusted.
curl -H "Authorization: Bearer ${ZEN_API_KEY}" \
"${ZEN_API_BASE_URL}/v1/me/notifications?limit=10"Use the documented HTTPS base URL, avoid changing it to untrusted domains, and inspect commands before running or allowing the agent to run them.
OpenClaw can retrieve and display private Zen+ wellness notifications, activity history, and profile/preferences associated with the API key.
The artifacts clearly disclose that the personal API key grants read access to health-adjacent wellness data and profile information.
This skill can read: - Your wellness notifications - Your activity timeline - Your profile information (name, email, preferences) - Available task catalogue (public data)
Only install if you are comfortable with that read access; use a dedicated scoped key, keep it out of chats/screenshots, and revoke it when no longer needed.
Sensitive wellness data returned by the API could persist in local or hosted OpenClaw logs depending on your OpenClaw configuration.
The security document discloses that API responses containing wellness/profile data may enter OpenClaw logs or configured caching outside the Zen+ API itself.
No data is cached by OpenClaw (unless you configure it) - API responses may be logged by your OpenClaw instance
Review your OpenClaw logging and retention settings before using the skill, especially in shared or workplace environments.