← Back to Skills Marketplace
nathanielweiner

OpenClaw Health Brief

by NathanielWeiner · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1261
Downloads
2
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-health-brief
Description
Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary.
Usage Guidance
This skill's code implements the described functionality, but the manifest omitted important operational requirements. Before installing or enabling it: - Assume this will read secrets from your 1Password vault (via the 'op' CLI) if available and from environment variables otherwise. The skill will persist rotated tokens to ~/.openclaw/secrets/health_tokens.json (it attempts chmod 600). - The skill can also write back refresh tokens to 1Password, but only if you set OPENCLAW_1P_WRITEBACK=1 and have the 'op' CLI and OP_SERVICE_ACCOUNT_TOKEN available — don't enable that flag unless you trust the code and its environment. - The registry metadata did not declare required binaries or env vars; you should verify and install the 'op' CLI yourself and provide only the minimum secrets needed. Consider using environment-only tokens or a dedicated vault/service-account with least privilege. - Review core/util/secrets.py and core/util/local_secrets.py to confirm they behave as you expect (they call subprocess.run('op') and atomically write a JSON file). - If you don't trust the code or the unknown source/owner, don't enable writeback and run the smoke test (./bin/smoke) in an isolated environment first. Ask the publisher for a canonical source repository or homepage before deploying it into production/automated cron jobs.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-health-brief Version: 1.0.0 This skill bundle is classified as benign. While it involves high-risk capabilities such as reading and writing sensitive OAuth tokens to 1Password (via `op` CLI) and a local file (`~/.openclaw/secrets/health_tokens.json`), and making network requests to external APIs (Oura, Whoop, Withings), these actions are explicitly stated in `SKILL.md` and `README.md`, are necessary for the skill's core functionality (fetching health data and persisting tokens for rotation), and are implemented with security considerations (e.g., opt-in 1Password writeback, `chmod 0o600` for local files). The prompt injection instructions in `SKILL.md` and `README.md` for the AI agent are functional, directing it to process and summarize the skill's output, without any evidence of malicious intent or attempts to manipulate the agent beyond its stated purpose.
Capability Assessment
Purpose & Capability
The code matches the stated purpose (fetch Oura/WHOOP/Withings, normalize, render a brief). However the registry metadata declared no required env vars or binaries while the implementation expects the 1Password CLI ('op'), OP_SERVICE_ACCOUNT_TOKEN / OPENCLAW_1P_VAULT when using 1Password, and various provider tokens as env var fallbacks. The omission in the manifest is an inconsistency.
Instruction Scope
SKILL.md stays within the expected scope (authorize providers via OAuth, run reauth, run brief, add cron). It explicitly instructs storing tokens in 1Password and in a local file (~/.openclaw/secrets/health_tokens.json). The instructions do not appear to request unrelated system data, but they do direct the agent to open a browser for OAuth and to source an existing gateway.env in cron — both of which assume access to local environment and secrets.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain footprint, but the package contains executable Python CLI code and expects external tooling (the 'op' CLI). The absence of an install step means the user is responsible for installing Python dependencies and the 'op' binary; this should have been declared.
Credentials
The skill will read and use many sensitive environment variables and external secrets (OP_SERVICE_ACCOUNT_TOKEN, OPENCLAW_1P_VAULT, WHOOP_*/OURA_*/WITHINGS_*). The registry lists none of these. The code also calls the 'op' CLI via subprocess to read (and optionally write) 1Password items — a high-privilege operation. WRITEBACK to 1Password is gated by OPENCLAW_1P_WRITEBACK=1, but that flag is not highlighted in the manifest. The local secrets file (~/.openclaw/secrets/health_tokens.json) is created and persisted (chmod 600 attempted). Because secrets are accessed and persisted, the declared requirements are insufficient and the requested privileges are more than the manifest implies.
Persistence & Privilege
The skill persists rotated tokens to a local JSON file (~/.openclaw/secrets/health_tokens.json) and will attempt 1Password writeback if OPENCLAW_1P_WRITEBACK=1 and 'op' is available. always:false and no special platform-wide modifications are requested. This is expected for an OAuth token-handling CLI, but it expands the blast radius if you enable 1Password writeback — exercise caution.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-health-brief
  3. After installation, invoke the skill by name or use /openclaw-health-brief
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: WHOOP, Oura, Withings connectors with unified reauth, local token persistence, and OpenClaw cron integration
Metadata
Slug openclaw-health-brief
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is OpenClaw Health Brief?

Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary. It is an AI Agent Skill for Claude Code / OpenClaw, with 1261 downloads so far.

How do I install OpenClaw Health Brief?

Run "/install openclaw-health-brief" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenClaw Health Brief free?

Yes, OpenClaw Health Brief is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenClaw Health Brief support?

OpenClaw Health Brief is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenClaw Health Brief?

It is built and maintained by NathanielWeiner (@nathanielweiner); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments