Withings Family

v1.1.2

Fetches health data from the Withings API for multiple family members including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use...

⭐ 1· 2.1k·2 current·2 all-time

byOliver Drobnik@odrobnik

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description ask for Withings data and the package only requires python3 plus WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET. The scripts perform OAuth and call Withings endpoints (account.withings.com and wbsapi.withings.net), which is consistent with the stated purpose.

✓

Instruction Scope

SKILL.md instructs running the included Python scripts and describes OAuth flows and token storage. The runtime instructions and the scripts' operations are narrowly scoped to authenticating and fetching Withings measurements; they only reference files under ~/.openclaw/withings-family (legacy ~/.moltbot/) and the declared env vars. No instructions ask the agent to read unrelated system files or transmit data to unknown endpoints.

✓

Install Mechanism

No install spec — the skill is instruction + included scripts. Nothing is downloaded at install time and no external packages or arbitrary URLs are used. Risk from installation is low because code ships with the skill and no extraction from untrusted URLs occurs.

✓

Credentials

Only two env vars are required: WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET. Those are the expected credentials for calling the Withings API. The scripts also optionally read a config.json from the skill directory under the user's home; this is proportional to storing credentials/config for the skill. No unrelated secrets or system credentials are requested.

✓

Persistence & Privilege

The skill does not request 'always' presence, does not modify other skills or global agent config, and only persists per-user token files under the user's home directory. It attempts to set restrictive permissions (0600) on token files. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.

Assessment

This skill appears to do exactly what it says: it needs your Withings developer Client ID/Secret and will store per-user OAuth tokens in ~/.openclaw/withings-family (legacy ~/.moltbot/withings-family). Before installing, consider: (1) only provide WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET if you trust the skill/source; (2) the scripts start a local callback server (localhost:18081) during OAuth — ensure that port is available and run the flow only on a trusted machine; (3) token files are written to your home directory and the code attempts to chmod them to 0600 — verify those files and revoke tokens in your Withings account if you stop using the skill; (4) the SKILL.md contains a minor doc mismatch (the oauth helper docstring mentions port 8080 but the script and README use 18081), which is non-malicious but worth noting; (5) because code is included in cleartext, you can and should review it yourself if you have concerns. Overall the requirements and behavior are proportionate to the skill's purpose.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

⚖️ Clawdis

Binspython3

EnvWITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET

latestvk97bqmqr988w3ztha4c8ep9mex826g27

2.1kdownloads

1stars

8versions

Updated 1mo ago

v1.1.2

MIT-0

This skill allows you to interact with Withings accounts for multiple family members to retrieve comprehensive health metrics from Withings devices (smart scales, sleep analyzers, activity trackers, etc.).

Multi-User Support

This skill natively supports multiple users with per-user token files:

tokens-alice.json
tokens-bob.json
tokens-charlie.json

Each family member authenticates once via OAuth. Their tokens are stored separately and refreshed automatically. No token copying or switching required — just pass the user ID as the first argument.

python3 scripts/withings.py alice weight
python3 scripts/withings.py bob sleep
python3 scripts/withings.py charlie activity

When to Use This Skill

Use this skill when the user:

Asks about their weight or weight history
Wants to see their body composition (fat %, muscle mass, bone mass, hydration)
Requests their daily activity (steps, distance, calories burned)
Asks about their sleep data (duration, quality, deep sleep, REM)
Mentions "Withings" or any Withings device (Body+, Sleep Analyzer, ScanWatch, etc.)
Wants to track their or their family's health progress over time

Setup: Creating a Withings Developer App

Before using this skill, you need to create a free Withings developer application to get your API credentials.

Step 1: Create a Withings Developer Account

Go to Withings Developer Portal
Click Sign Up or Log In if you already have a Withings account
Accept the Developer Terms of Service

Step 2: Create Your Application

Navigate to My Apps → Create an Application
Fill in the application details:
- Application Name: Choose a name (e.g., "My Moltbot Health")
- Description: Brief description of your use case
- Contact Email: Your email address
- Callback URL: http://localhost:18081 (required for OAuth)
- Application Type: Select "Personal Use" or appropriate type
Submit the application

Step 3: Get Your Credentials

Once your application is created:

Go to My Apps and select your application
You'll find:
- Client ID → Set as WITHINGS_CLIENT_ID environment variable
- Client Secret → Set as WITHINGS_CLIENT_SECRET environment variable

Step 4: Configure Environment Variables

Add these to your Moltbot environment:

export WITHINGS_CLIENT_ID="your_client_id_here"
export WITHINGS_CLIENT_SECRET="your_client_secret_here"

Or create a .env file in ~/.openclaw/withings-family/.env (legacy: ~/.moltbot/withings-family/.env):

WITHINGS_CLIENT_ID=your_client_id_here
WITHINGS_CLIENT_SECRET=your_client_secret_here

Configuration

The skill provides two scripts (in scripts/):

scripts/withings_oauth_local.py — Automatic OAuth with local callback server (recommended)
scripts/withings.py — Main CLI + manual OAuth

Credentials location: ~/.openclaw/withings-family/ (legacy: ~/.moltbot/withings-family/)

.env — Client ID/Secret (optional, can use ENV vars instead)
tokens-<userId>.json — OAuth tokens per user (mode 600)

Before any data retrieval, check if the user is authenticated. If an error mentions "No token found", guide the user through the initial authentication process for that specific user.

Authentication Methods

Method A: Automatic OAuth (Recommended)

Uses a local callback server to capture the code automatically:

python3 {baseDir}/scripts/withings_oauth_local.py <userId>

Example:

python3 {baseDir}/scripts/withings_oauth_local.py alice

The script will:

Print the authorization URL
Start a local server on localhost:18081
Wait for the redirect
Automatically capture the code and exchange for tokens
Save tokens to tokens-<userId>.json

Method B: Manual OAuth

Traditional two-step flow (see "Authentication" command below).

Available Commands

All commands follow the format:

python3 {baseDir}/scripts/withings.py <userId> <command> [options]

1. Authentication

First-time setup for a user — generates the OAuth URL:

python3 {baseDir}/scripts/withings.py alice auth

After the user visits the URL and gets the authorization code:

python3 {baseDir}/scripts/withings.py alice auth YOUR_CODE_HERE

Repeat for each family member who needs access.

2. Get Weight

Retrieve the latest weight measurements:

python3 {baseDir}/scripts/withings.py alice weight

Returns the 5 most recent weight entries in JSON format.

Example output:

[
  { "date": "2026-01-17T08:30:00.000Z", "weight": "75.40 kg" },
  { "date": "2026-01-16T08:15:00.000Z", "weight": "75.65 kg" }
]

3. Get Body Composition

Retrieve comprehensive body metrics (fat, muscle, bone, water, BMI):

python3 {baseDir}/scripts/withings.py alice body

Returns the 5 most recent body composition measurements.

Example output:

[
  {
    "date": "2026-01-17T08:30:00.000Z",
    "weight": "75.40 kg",
    "fat_percent": "18.5%",
    "fat_mass": "13.95 kg",
    "muscle_mass": "35.20 kg",
    "bone_mass": "3.10 kg",
    "hydration": "55.2%"
  }
]

4. Get Activity

Retrieve daily activity data (steps, distance, calories):

python3 {baseDir}/scripts/withings.py alice activity

Optionally specify the number of days (default: 7):

python3 {baseDir}/scripts/withings.py alice activity 30

Example output:

[
  {
    "date": "2026-01-17",
    "steps": 8542,
    "distance": "6.23 km",
    "calories": 2150,
    "active_calories": 450,
    "soft_activity": "45 min",
    "moderate_activity": "22 min",
    "intense_activity": "8 min"
  }
]

5. Get Sleep

Retrieve sleep data and quality:

python3 {baseDir}/scripts/withings.py alice sleep

Optionally specify the number of days (default: 7):

python3 {baseDir}/scripts/withings.py alice sleep 14

Example output:

[
  {
    "date": "2026-01-17",
    "start": "23:15",
    "end": "07:30",
    "duration": "8h 15min",
    "deep_sleep": "1h 45min",
    "light_sleep": "4h 30min",
    "rem_sleep": "1h 30min",
    "awake": "30min",
    "sleep_score": 82
  }
]

Error Handling

Common errors and how to resolve them:

Error	Cause	Solution
"No token found"	User not authenticated	Run `python3 scripts/withings.py <userId> auth` and follow the OAuth flow
"Failed to refresh token"	Token expired and refresh failed	Re-authenticate with `python3 scripts/withings.py <userId> auth`
"API Error Status: 401"	Invalid or expired credentials	Check your CLIENT_ID and CLIENT_SECRET, re-authenticate
"API Error Status: 503"	Withings API temporarily unavailable	Wait and retry later
Empty data	No measurements in the requested period	User needs to sync their Withings device

Notes

Multi-user: Each family member has their own token file (tokens-{userId}.json)
Token refresh: Tokens are automatically refreshed when they expire
Scopes: Withings API scopes used: user.metrics, user.activity
Device support: Data availability depends on which Withings devices the user owns
Body composition: Requires a compatible smart scale (e.g., Body+, Body Comp)

Comments

Loading comments...