Apple Health → OpenClaw
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who sees or scans the QR/manual JSON may receive the gateway token and could access the user's OpenClaw gateway until the token is rotated or revoked.
The setup script automatically reads the local OpenClaw gateway bearer token and prints a token-containing JSON payload for manual pairing. This is sensitive credential use, and it is broader than the registry's 'Primary credential: none' declaration.
OPENCLAW_CONFIG = Path.home() / ".openclaw" / "openclaw.json"
...
token = config.get("gateway", {}).get("auth", {}).get("token", "")
...
payload = json.dumps({"url": url, "token": token}, separators=(",", ":"))
...
print(f"\n备用 JSON(手动输入):\n{payload}\n")Install only if you trust the companion app and the local terminal environment. The skill should declare this credential, avoid printing the full token by default, support scoped/revocable pairing tokens, and document how to rotate the gateway token.
A user may believe the token is protected when the fallback JSON actually reveals it in full.
The script visually masks the token in one line but then prints the full JSON payload containing the token. This conflicts with the SKILL.md rule saying not to expose the bearer token to the user.
print(f"Token: {'*' * 8}{token[-4:]}\n")
...
print(f"\n备用 JSON(手动输入):\n{payload}\n")Make the credential exposure explicit, require confirmation before showing the raw token-bearing JSON, or provide a safer pairing method that does not reveal the long-lived token.
Running setup can execute newly downloaded dependency code that was not reviewed as part of the supplied skill artifacts.
If QR generation dependencies are missing, setup.py automatically installs an unpinned package from the Python package ecosystem at runtime, despite there being no install spec.
print("→ 正在安装 qrcode 库...", flush=True)
subprocess.run(
[sys.executable, "-m", "pip", "install", "qrcode", "-q"],
check=True, capture_output=True
)Declare dependencies in an install spec or requirements file, pin versions, and ask the user before installing packages at runtime.
The user's OpenClaw gateway may become reachable from the LAN or, on a VPS, a public network path protected by the token.
Setup starts or restarts the OpenClaw gateway in LAN mode as a background process. This is purpose-aligned for phone pairing, but it changes network exposure and may continue running after setup.
subprocess.Popen(
["openclaw", "gateway", "--bind", bind_mode, "--force"],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
)Before setup, understand which host and port will be exposed, keep firewall rules tight, and document how to stop the gateway when no longer needed.
If an unintended or spoofed message matches the trigger, incorrect health data could be stored and later used in health summaries.
The skill stores sensitive health data persistently and uses a simple message-prefix trigger for automatic ingestion without confirmation.
Activate **automatically** when a message starts with `🍎 Apple Health 数据更新`. Do NOT ask for confirmation — just ingest and acknowledge in one line. ... All data lives at `~/.apple-health-sync/health.db`
Use this only with a trusted data source, and consider adding source verification, review controls, and a clear way to inspect or delete stored records.