Personal Health Agent
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: personal-health-agent Version: 0.4.0 The skill bundle includes a script, `fitbit_analyze.py`, which provides a direct execution sink for arbitrary Python code via the `exec()` function. While this is intended for data science and visualization of Fitbit data as described in `SKILL.md`, it creates a significant Remote Code Execution (RCE) surface that could be exploited via prompt injection to run malicious commands on the host. There is no evidence of intentional malice or data exfiltration to third parties; however, the lack of sandboxing for agent-generated code makes the bundle high-risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated analysis could accidentally or intentionally read local files, overwrite data, import modules, or make network calls under the user's account.
The script accepts a command-line code string and executes it directly with Python exec in a namespace that includes Fitbit data paths and loaded dataframes, without sandboxing or approval controls.
else:
code = sys.argv[1]
...
exec(code, namespace)Only run reviewed analysis code. The maintainer should replace raw exec with predefined analysis functions or sandbox it with restricted builtins, imports, file access, and explicit user approval.
Users may provide Fitbit credentials or health data believing no outside service can receive it, even though model/provider handling depends on the OpenClaw runtime and chosen model.
The README simultaneously advertises use with third-party model providers and claims health data stays local with no third-party sharing. For sensitive Fitbit data and setup secrets, that privacy claim is too broad and may be misleading.
This skill teaches your OpenClaw agent (any model — Claude, GPT, Gemini) how to query and analyze your Fitbit data... Your health data stays local on your machine. - No data is sent to any third party
Treat Fitbit data and setup secrets as sensitive model-context data unless you are using a fully local/private model. The skill should clearly document where tool outputs, OAuth codes, and health summaries may be sent.
Anyone who can access the token file may be able to query detailed Fitbit health data until the token is revoked or expires.
The skill requests broad read access to Fitbit health categories and stores OAuth tokens locally. This is purpose-aligned for a Fitbit health assistant, but it is sensitive account access.
SCOPES = [
"activity", "heartrate", "sleep", "profile",
"respiratory_rate", "oxygen_saturation", "temperature",
"cardio_fitness",
]
...
TOKEN_FILE = BASE_DIR / "data" / "fitbit_token.json"Use the documented read-only Fitbit app setting, protect the skill data directory, and revoke the Fitbit app token if you stop using the skill.
Private health conditions and goals can remain on disk and be reused in later agent interactions.
The skill persists user-entered health goals and optional medical conditions for reuse in future insights. This is expected personalization, but it creates sensitive persistent context.
PROFILE_PATH = BASE_DIR / "data" / "user_profile.json" ... "field": "health_conditions", "question": "Any health conditions the agent should be aware of? (optional)"
Only enter health details you are comfortable storing locally, review or delete data/user_profile.json when needed, and ensure local file permissions are appropriate.
The agent may surface health insights when the user did not specifically ask at that moment, depending on how OpenClaw briefings or cron jobs are configured.
The skill encourages scheduled or proactive health briefings. That fits the assistant purpose, but users should explicitly opt in before automatic recurring analysis of sensitive health data.
### Proactive Insights (run this in daily crons/briefings) ... **Be proactive, not passive.** Don't wait for the user to ask — deliver insights automatically.
Enable daily briefings or cron jobs only if you want them, and set the briefing preference to none or anomaly-only if you do not want routine proactive analysis.