Back to skill

Security audit

Apple Health → OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Apple Health syncing, but it handles health records and a live OpenClaw gateway token with broad automatic behavior that users should review before installing.

Install only if you are comfortable letting this skill read your OpenClaw gateway token, pair an external iOS app, store Apple Health data locally, and potentially expose your gateway over LAN or VPS. Treat the QR/manual JSON as a secret, prefer local-only or HTTPS/tunneled access, avoid unknown sideloaded apps, and review or disable the automatic pip install and auto-ingest behavior where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Auto-install and retry
    print("→ 正在安装 qrcode 库...", flush=True)
    try:
        subprocess.run(
            [sys.executable, "-m", "pip", "install", "qrcode", "-q"],
            check=True, capture_output=True
        )
Confidence
95% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", "qrcode", "-q"], check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes local scripts that read tokens, write a SQLite database, use networking, and execute shell commands, yet it declares no corresponding permissions. This creates a transparency and consent failure: users and the hosting platform may not realize the skill can access sensitive local data, open network paths, and persist health information.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A setup script that silently acquires new Python packages at runtime exceeds simple QR/setup behavior and grants itself software-management capability. In security-sensitive environments, unexpected dependency installation increases attack surface and can introduce unreviewed code onto the system.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The activation rule for health queries is very broad and can trigger on ordinary conversation about health topics without clear user intent to access stored Apple Health data. In this context, accidental invocation could expose sensitive biometric history from the local database when the user was only asking a general question.

Missing User Warnings

High
Confidence
97% confidence
Finding
The setup flow explicitly reads the OpenClaw gateway token and emits configuration details as a QR code and raw JSON, but the user is not warned that scanning, displaying, or sharing this output exposes a live credential and connection endpoint. Because the skill also supports VPS/public IP use, leaked setup output could enable unauthorized remote access to the gateway.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script installs qrcode via pip after only printing a generic status message, without obtaining informed user consent. That behavior can surprise operators, violate least astonishment, and expose the environment to package-index or dependency compromise risks.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Rules

1. Auto-ingest first, acknowledge second — no confirmation prompts on incoming data.
2. Never fabricate data — only report what's in the database.
3. All responses in Chinese.
4. Never expose the bearer token to the user.
Confidence
84% confidence
Finding
no confirmation

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.