← Back to Skills Marketplace
nathanielweiner

OpenClaw Health

by NathanielWeiner · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1383
Downloads
2
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-health
Description
Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary.
Usage Guidance
What to check before installing: - Behavior is broadly consistent with the stated purpose (fetching from providers, normalizing, persisting tokens), but the docs slightly overstate behavior: 1Password writeback is NOT automatic unless you set OPENCLAW_1P_WRITEBACK=1 and have the op CLI and appropriate OP credentials available. - Review and decide where rotated tokens should live: by default the skill writes tokens to ~/.openclaw/secrets/health_tokens.json (attempts chmod 600). If you prefer not to keep local tokens, don't enable writeback or change OPENCLAW_LOCAL_SECRETS_PATH. - If you will enable 1Password writeback, treat OP_SERVICE_ACCOUNT_TOKEN as highly sensitive and ensure the service-account/vault have minimal scope. Confirm the 'op' CLI is installed and you understand the vault that will be targeted (OPENCLAW_1P_VAULT). - The registry metadata says no required env vars, but the skill will need credentials (either in 1Password or env vars) to fetch live data. Use OPENCLAW_FORCE_SAMPLE=1 to run smoke tests without credentials. - Inspect the cron example before copying: it sources ~/.openclaw/secrets/gateway.env — verify that file doesn't contain unrelated high-value credentials you don't want the periodic job to source. - If you can't inspect code yourself, run tests/smoke mode first, and consider running the skill in an isolated environment (container or VM) until you are comfortable with where tokens are stored and how writeback behaves.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-health Version: 1.0.0 This skill is classified as suspicious due to its use of high-risk capabilities, although they appear aligned with its stated purpose. It interacts with the 1Password CLI (`op` command in `core/util/secrets.py`) to read and optionally write sensitive OAuth tokens, and it persists these tokens locally in `~/.openclaw/secrets/health_tokens.json` (`core/util/local_secrets.py`). While these actions are necessary for the skill's functionality (fetching health data and managing token rotation), programmatic access to a password manager and local storage of sensitive credentials represent significant security capabilities that could be abused if the skill were compromised or designed with malicious intent. There is no clear evidence of intentional malicious behavior, such as unauthorized data exfiltration to external endpoints or harmful prompt injection against the agent in `SKILL.md`.
Capability Assessment
Purpose & Capability
Name/description match the code: connectors for Oura, WHOOP, Withings; normalization and Markdown rendering; token rotation and local persistence. Network calls, OAuth refresh flows, and local token storage are all expected for this purpose.
Instruction Scope
SKILL.md and README claim tokens are saved to both 1Password and ~/.openclaw/secrets/health_tokens.json 'automatically'. The implementation will persist tokens locally, but 1Password writeback only happens when OPENCLAW_1P_WRITEBACK=1 and the op CLI is available. The docs don't call out that writeback is opt‑in, which is an important behavioral difference. The cron example also sources ~/.openclaw/secrets/gateway.env — that file may contain unrelated automation/gateway credentials (the docs don't explain its contents), so the example could cause broader credential exposure if blindly copied.
Install Mechanism
There is no external installer or remote download; the repository is instruction + local Python code. No install spec (no arbitrary URL downloads) — lower install risk. All network interactions are standard HTTPS requests to provider APIs.
Credentials
The skill uses many environment variables (OP_SERVICE_ACCOUNT_TOKEN, OPENCLAW_1P_VAULT, OPENCLAW_1P_WRITEBACK, OPENCLAW_LOCAL_SECRETS_PATH, WHOOP_*, OURA_*, WITHINGS_*, OPENCLAW_FORCE_SAMPLE, etc.). Those are reasonable for OAuth access and optional 1Password integration, but the registry metadata lists 'Required env vars: none' which is misleading. OP_SERVICE_ACCOUNT_TOKEN in particular grants the skill access to 1Password items (via the op CLI) and should be treated as highly sensitive.
Persistence & Privilege
The skill persists rotated tokens to a local JSON file (~/.openclaw/secrets/health_tokens.json) with an atomic write and attempts to chmod 0600 — this is expected for token rotation. It can also write back to 1Password (via op) when enabled. The skill does not request system-wide privileges or modify other skills. However, the provided cron example sources an external gateway.env file (potentially containing other secrets) — copying that example without review could expose unrelated credentials to the automation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-health
  3. After installation, invoke the skill by name or use /openclaw-health
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: WHOOP, Oura, Withings connectors with unified reauth, local token persistence, and OpenClaw cron integration
Metadata
Slug openclaw-health
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is OpenClaw Health?

Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary. It is an AI Agent Skill for Claude Code / OpenClaw, with 1383 downloads so far.

How do I install OpenClaw Health?

Run "/install openclaw-health" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClaw Health free?

Yes, OpenClaw Health is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenClaw Health support?

OpenClaw Health is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClaw Health?

It is built and maintained by NathanielWeiner (@nathanielweiner); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments