Health Mate
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or poisoned health log or generated report could potentially run code under the user's account when the daily runner is executed.
The runner takes generated report text derived from the health memory file and inserts it unescaped into a Python heredoc. If the report text contains Python string delimiters such as triple quotes, it could break out of the string and execute Python code when the runner sends webhooks.
result=$(python3 "${SCRIPT_DIR}/daily_report_pro.py" "$TODAY_FILE" "$CURRENT_DATE" 2>&1)
...
delivery_message=$(echo "$result" | sed -n '/=== DELIVERY_MESSAGE_START ===/,/=== DELIVERY_MESSAGE_END ===/p' | sed '1d;$d')
...
message_text = '''${delivery_message}'''Pass the delivery message as data, not code: use a temporary file, stdin, an environment variable with safe decoding, or JSON serialization, and avoid interpolating report text into executable Python source.
If the local config file is edited or poisoned, the skill can run unintended shell commands during normal report generation.
The shell runner sources the project-local .env file. Sourcing treats the file as shell code, not just key-value configuration, so a modified .env can execute arbitrary shell commands when the runner starts.
if [ -f "${CONFIG_DIR}/.env" ]; then
set -a
source "${CONFIG_DIR}/.env"
set +aParse .env as key-value data instead of sourcing it, restrict file permissions, and review config/.env before scheduled or automated runs.
Sensitive health information may be processed into local PDFs, logs, and messages.
The skill intentionally reads health-memory logs and turns them into reports. This is purpose-aligned, but the logs can contain sensitive health, medication, symptom, diet, and weight information.
It reads structured Markdown logs from `MEMORY_DIR`, generates localized PDF reports, and can optionally deliver the final message to external services.
Point MEMORY_DIR only at the intended health-log folder, protect generated reports/logs, and avoid placing unrelated private files in that directory.
Configured chat or webhook services may receive sensitive health summaries.
The runner can send the generated health-report message to DingTalk, Feishu, or Telegram when the matching credentials are configured. This is disclosed and purpose-aligned, but it sends health-report content to external services.
DINGTALK_WEBHOOK = os.environ.get('DINGTALK_WEBHOOK', '')
FEISHU_WEBHOOK = os.environ.get('FEISHU_WEBHOOK', '')
TG_BOT_TOKEN = os.environ.get('TELEGRAM_BOT_TOKEN', '')
...
req = urllib.request.Request(f'https://api.telegram.org/bot{TG_BOT_TOKEN}/sendMessage', data=dataOnly configure webhooks for accounts/chats you trust, keep tokens private, and disable delivery credentials if you want reports to remain local.
Anyone with access to the local config could misuse configured service tokens or send messages through the connected accounts.
The skill can use API keys and webhook tokens. These credentials are optional and align with the advertised integrations, but they grant the skill authority to call external services.
"TAVILY_API_KEY": "Optional. Enables Tavily-assisted fallback guidance and monthly hospital lookup hints.", "DINGTALK_WEBHOOK": "Optional. Enables DingTalk delivery.", "FEISHU_WEBHOOK": "Optional. Enables Feishu delivery.", "TELEGRAM_BOT_TOKEN": "Optional. Enables Telegram delivery when TELEGRAM_CHAT_ID is also configured."
Use least-privilege tokens where possible, store config/.env securely, and rotate tokens if the skill folder is shared or exposed.
If enabled, the skill downloads a font from GitHub during report generation.
The PDF generator can download fonts at runtime, but only when ALLOW_RUNTIME_FONT_DOWNLOAD is enabled. This is disclosed and purpose-aligned, yet it relies on remote files.
FONT_DOWNLOAD_SOURCES = {
"zh-CN": "https://raw.githubusercontent.com/tankeito/Health-Mate/main/assets/NotoSansSC-VF.ttf",
"ja-JP": "https://raw.githubusercontent.com/google/fonts/main/ofl/notosansjp/NotoSansJP%5Bwght%5D.ttf",
}
...
if allow_runtime_font_download():Leave runtime font download disabled unless needed, or manually install trusted font files under assets/.
Private health reports could become accessible through a public web server if REPORT_WEB_DIR is configured carelessly.
The skill supports copying generated PDFs to a directory intended for public serving. This is optional and disclosed, but a misconfigured web directory could expose sensitive reports beyond the local machine.
"REPORT_WEB_DIR": "Optional. Local directory where generated PDFs can be copied for public serving.", "REPORT_BASE_URL": "Optional. Public base URL used to build downloadable PDF links."
Use REPORT_WEB_DIR only for directories with the intended access controls, and verify generated PDF links before sharing them.