ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wellness Coach AI

v1.0.0

Launch a personalized AI wellness coach video session (Baymax persona) using Tavus CVI + Claude. Fetches real wearable health data (sleep, HRV, recovery) and...

0· 69·0 current·0 all-time
byAndre Chuabio@andrechuabio

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for andrechuabio/wellness-coach.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wellness Coach AI" (andrechuabio/wellness-coach) from ClawHub.
Skill page: https://clawhub.ai/andrechuabio/wellness-coach
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wellness-coach

ClawHub CLI

Package manager switcher

npx clawhub@latest install wellness-coach
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly requires ANTHROPIC and TAVUS credentials and describes integrating Oura/Fitbit/Google Calendar and Telegram. However the registry metadata lists no required environment variables or credentials — a clear mismatch. Asking for wearable tokens and calendar OAuth is coherent with the wellness purpose, but the metadata omission and requests for multiple external service credentials are disproportionate to what the registry claims.
!
Instruction Scope
Runtime instructions direct the agent/operator to clone and run a backend (uvicorn) and cron scripts that fetch health data, create live Tavus sessions, and send Telegram briefings. They include a /debug-env endpoint to 'check all API keys are loaded' (which could expose secrets if accessible) and an OpenClaw HEARTBEAT entry that instructs the agent to forward formatted messages 'as-is' — enabling automated, verbatim message forwarding. These behaviors go beyond a simple query/response skill and introduce automation and potential data exposure.
!
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md directs users to git clone https://github.com/AndreChuabio/wellness-coach and pip install requirements from that repo. That effectively causes a third-party code download and execution on the host. Because the skill bundle itself does not include the code and the upstream repo owner is external/unknown relative to the registry owner, this raises risk unless you audit the repository first.
!
Credentials
The documentation lists multiple sensitive env vars (ANTHROPIC_API_KEY, TAVUS_API_KEY, TAVUS_REPLICA_ID, TAVUS_PERSONA_ID, OURA/Fitbit tokens, Google credentials/token, and implicitly a Telegram bot token) but the registry metadata claims none are required. Some required tokens (e.g., Telegram bot token) are not explicitly documented in SKILL.md. The number and sensitivity of secrets requested is high and not reflected in the package metadata — a proportionality and transparency problem.
!
Persistence & Privilege
The skill itself is not 'always: true', but the instructions ask you to register a daily OpenClaw cron and add an OpenClaw HEARTBEAT.md entry that will cause an agent to automatically run the pipeline and forward messages. Combined with the ability to send Telegram messages verbatim and the presence of a /debug-env endpoint, this grants ongoing automation with access to sensitive tokens and outbound delivery channels — increasing the blast radius if abused.
What to consider before installing
Do not run or deploy this code without review. Key checks before installing: (1) Verify the GitHub repository contents and the identity/reputation of the repo owner; inspect backend/cron/send_briefing.py and backend/context_builder.py for any data exfiltration or unexpected network calls. (2) Don’t expose the /debug-env endpoint publicly — it may reveal secrets. (3) Confirm exactly which environment variables are required (including Telegram bot token) and scope them to least privilege; prefer creating tokens with minimal permissions and rotate them after testing. (4) If you enable the OpenClaw cron/heartbeat automation, ensure the recipient and message formatting are correct and consider requiring manual confirmation rather than verbatim automatic forwarding. (5) Test in an isolated environment (VM/container) and review network activity during a dry run. If you cannot or will not audit the upstream code, treat this skill as untrusted and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

ai-coachvk97bzzrrgs7bt6k58tafkswrqn84mxvfhealthvk97bzzrrgs7bt6k58tafkswrqn84mxvflatestvk97bzzrrgs7bt6k58tafkswrqn84mxvfmeditationvk97bzzrrgs7bt6k58tafkswrqn84mxvftavusvk97bzzrrgs7bt6k58tafkswrqn84mxvfwellnessvk97bzzrrgs7bt6k58tafkswrqn84mxvf
69downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Andre Chuabio@andrechuabio
ai-coachhealthlatestmeditationtavuswellness
Download

Wellness Coach

Spin up a personalized Baymax wellness coach video session from health + calendar data.

What This Skill Does

  1. Reads wearable health data (mock or real: Oura/Fitbit/Apple Health)
  2. Fetches today's Google Calendar events
  3. Calls Claude to generate a Baymax system prompt + wellness recommendations
  4. Creates a live Tavus CVI session (interactive video avatar)
  5. Optionally delivers a Telegram morning briefing with the session link

Project Setup

git clone https://github.com/AndreChuabio/wellness-coach
cd wellness-coach
pip install -r backend/requirements.txt
cp .env.example .env  # fill in API keys

Required API Keys (.env)

ANTHROPIC_API_KEY=       # Claude context generation
TAVUS_API_KEY=           # Tavus CVI sessions
TAVUS_REPLICA_ID=        # Avatar replica (platform.tavus.io → Replicas)
TAVUS_PERSONA_ID=        # Baymax persona (platform.tavus.io → Personas)

Running the Backend

cd backend
uvicorn main:app --reload
# Swagger UI: http://localhost:8000/docs

Running the Frontend

cd frontend
python3 -m http.server 3000
# Open: http://localhost:3000

Key Endpoints

MethodPathWhat it does
GET/health-dataToday's wearable metrics
GET/calendarToday's calendar events
POST/start-sessionFull pipeline → Tavus CVI URL + recs
GET/debug-envCheck all API keys are loaded

Morning Briefing Pipeline (Telegram)

Run both scripts back-to-back — always together so the Tavus link is fresh:

python3 cron/morning_context.py && python3 cron/send_briefing.py

This builds context, pre-warms a Tavus session, and sends a Telegram message with:

  • Sleep score, HRV, recovery score
  • Today's calendar summary
  • Top wellness recommendation
  • Live Tavus session link (valid ~10 min after creation)

Automated Daily Cron (OpenClaw)

Register a 7AM daily cron via OpenClaw to automate the morning briefing. See references/openclaw-cron.md for the exact setup.

Connecting Real Wearable Data

See references/wearables.md for Oura, Fitbit, and Apple Health integration guides.

Google Calendar Integration

See references/gcal-setup.md for OAuth setup to get real calendar events.

Wellness Recommendations Logic

Recommendations are generated in backend/context_builder.py based on:

SignalTriggerSuggestion
HRV < 50msbelow avgBox breathing, recovery day
Sleep score < 75poor sleepNap window, caffeine cutoff
High-stakes meetingkeyword match4-7-8 breathing beforehand
4+ meetingspacked dayMicro-meditations between meetings
Recovery ≥ 80 + HRV ≥ avggreat dayPush harder, workout, cold exposure

Knowledge Base (Tavus Persona)

Upload wellness content directly to the Tavus Persona via: platform.tavus.io → Personas → Your Persona → Knowledge Base → Add Files

Format files as structured scripts:

# [Exercise Name]
## When to use
## Script (word-for-word guide)
## Duration

Tavus Persona Settings

  • LLM: tavus-gpt-oss (or custom Claude endpoint)
  • STT: tavus-advanced
  • TTS: Tavus Default
  • Hotwords: HRV, Baymax, meditation, breathing, recovery
  • Turn detection: Sparrow-1 (user mutes mic to trigger response)

Common Issues

Avatar nods but doesn't speak → Mic permission not granted. Click lock icon in browser → allow microphone → rejoin.

Mock mode despite keys set.env not loading. Run /debug-env to verify. Ensure .env is in project root, not backend/.

Tavus link expired → Sessions last ~10 min. Always run morning_context.py and send_briefing.py together right before use.

GCal shows mock data → Set GOOGLE_CREDENTIALS_PATH and GOOGLE_TOKEN_PATH in .env. Run python3 setup_gcal.py once to authorize.

Comments

Loading comments...