Fitbit Health Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI can access Fitbit health categories authorized by the user, and the agent can use those results in answers.
The Fitbit OAuth grant covers multiple sensitive health/profile scopes. This matches the advertised Fitbit health purpose, but it is still account-level delegated access that users should approve deliberately.
const DEFAULT_SCOPE = "activity heartrate sleep weight profile"; ... authUrl.searchParams.set("scope", DEFAULT_SCOPE);Review the Fitbit consent screen carefully, authorize only if you are comfortable with these scopes, and revoke access when you no longer need the skill.
Anyone with access to this local token file could potentially use the Fitbit authorization until it is revoked or expires.
The skill persists OAuth access and refresh tokens under the user's home config directory and sets restrictive permissions. This is disclosed and expected for a CLI integration, but the tokens remain sensitive.
const TOKENS_PATH = path.join(CONFIG_DIR, "tokens.json"); ... await fs.writeFile(tempPath, JSON.stringify(tokens, null, 2), "utf8"); ... await fs.chmod(TOKENS_PATH, 0o600);
Keep the local account secure, do not share the token file, and use `fitbit logout` or Fitbit's app-revocation controls when done.
Fitbit profile and health metrics may be visible in chat responses or logs wherever the agent output is stored.
The skill can retrieve and print personal health/profile attributes, which may enter the active agent conversation context when used through Clawdbot.
{ key: "Age", value: String(user.age) }, ... { key: "Gender", value: user.gender }, ... { key: "Height", value: `${user.height} ${user.heightUnit}` }, ... { key: "Weight", value: `${user.weight} ${user.weightUnit}` }Use the skill only in conversations where you are comfortable exposing Fitbit health details, and avoid sharing transcripts that contain this data.
Installing from an unverified source or at a later time could pull dependency versions different from those reviewed here.
Manual npm installation can resolve dependency versions within these semver ranges. This is common for Node CLIs and not suspicious by itself, but users should verify the install source.
"dependencies": { "chalk": "^5.3.0", "cli-table3": "^0.6.5", "commander": "^12.0.0", "date-fns": "^3.6.0", "open": "^10.0.4" }Install from the intended repository/package, prefer a lockfile or pinned release when possible, and review dependency changes during updates.