← Back to Skills Marketplace
Vitavault
by
Brandon Stewart
· GitHub ↗
· v1.3.0
726
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install vitavault
Description
VitaVault iOS app integration - sync Apple Health data directly to your AI agent. Auto-setup webhook, token generation, and HTTPS exposure. Works with any iP...
Usage Guidance
Before installing or running this skill, consider the following: 1) Health data is highly sensitive — exposing an HTTP(S) webhook to the public (even via tunnels) risks leakage if the sync token is misconfigured, leaked, or omitted. Ensure the VITAVAULT_SYNC_TOKEN is set, long, and stored securely. 2) The SKILL.md repeatedly promises "no middleman," but scripts/query.py requires a VITAVAULT_API_URL (a cloud API endpoint) — ask the developer what that cloud client is for and whether it will send or pull data from an external server. 3) The instructions create a systemd service and recommend sudo operations; only proceed if you trust the code and understand how to adjust file paths, service user, and firewall rules. 4) Prefer Tailscale Funnel or a private domain behind your own reverse proxy over public temporary tunnels for long-term use; temporary tunnels (ngrok, trycloudflare) are fine for short tests but not recommended for production health sync. 5) Review the shipped Python scripts yourself (or run them in an isolated VM/container) — the webhook code shown saves incoming payloads locally and does not call external endpoints, but the query client will contact whatever URL you set in VITAVAULT_API_URL. 6) If you accept the setup, perform an initial test with innocuous data, verify Authorization header enforcement, and restrict exposure (use firewall rules, Tailscale, or private domain). If you need more certainty, ask the skill author to explicitly document the cloud API behavior and to include a manifest of which components are optional (local webhook vs cloud client).
Capability Analysis
Type: OpenClaw Skill
Name: vitavault
Version: 1.3.0
The skill is classified as suspicious due to a significant contradiction between its stated purpose and the functionality of `scripts/query.py`. The `SKILL.md` explicitly claims "No shared servers, no middleman - data flows phone to your agent only" and that data is saved "nowhere else" than the agent's host. However, `scripts/query.py` is designed to query a *remote* API (requiring `VITAVAULT_API_URL` environment variable) and is listed in `SKILL.md` under 'Querying Health Data' as if it operates on local data. This deceptive representation of external network activity, despite claims of local-only data handling, raises concerns about transparency and potential for undisclosed data interactions.
Capability Assessment
Purpose & Capability
Most files (webhook.py, import.py, summary.py, briefing.py) align with the stated purpose of receiving and processing Apple Health data locally. However, scripts/query.py is written as a client for a VitaVault cloud API and requires VITAVAULT_API_URL — this conflicts with the SKILL.md's repeated claim of a direct phone→agent flow with "No shared servers, no middleman." The presence of both a local webhook receiver and a cloud-API client is plausible (optional features), but the mismatch is unexplained in the documentation and registry metadata.
Instruction Scope
The SKILL.md instructs the agent to generate tokens, run a background webhook, expose that webhook publicly (Tailscale Funnel, cloudflared, ngrok, or reverse proxy), and create/enable a systemd service. These steps touch system-level configuration, require sudo in places, and create a publicly reachable HTTPS endpoint that will receive sensitive health data — all of which are consistent with a webhook receiver but are high-impact operations and should only be done with explicit user consent and careful setup.
Install Mechanism
There is no automated install spec (no downloads or arbitrary archives). The skill ships Python scripts and an instruction-only setup flow; nothing writes arbitrary third-party binaries to disk. This is lower risk than an automated remote download/install, though running the provided commands will create files and services locally.
Credentials
The registry metadata declares no required env vars, but the shipped code and SKILL.md use VITAVAULT_SYNC_TOKEN (for webhook auth) and query.py requires VITAVAULT_API_URL (and optionally VITAVAULT_SYNC_TOKEN). The VITAVAULT_SYNC_TOKEN is proportional to the webhook purpose, but the required VITAVAULT_API_URL for the cloud query is not justified by SKILL.md's 'no middleman' claim. There are no unrelated credentials requested, but the public exposure instructions increase the risk of accidental data exposure if auth or tunnel configuration is misused.
Persistence & Privilege
The guide recommends creating a systemd service and enabling it with sudo, which grants persistent, system-level presence and a network-exposed listener. The skill does not set always: true, but the suggested systemd install is a persistent privilege and should be treated as a deliberate, high-impact change requiring the user's explicit approval and careful configuration (paths, token, user account, firewall).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install vitavault - After installation, invoke the skill by name or use
/vitavault - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.3.0
**VitaVault 1.3.0 – Major upgrade: Adds webhook-based Apple Health sync and auto-setup**
- New webhook receiver script for direct iPhone-to-agent health data sync (no Mac or shared servers required)
- Detailed, step-by-step agent setup guide to fully automate secure token generation, webhook launch, HTTPS exposure (Tailscale, Cloudflare, ngrok, or custom domain), and persistent service setup
- Data now syncs directly to your agent every time VitaVault opens, storing files locally for privacy
- Simplified user experience: agent handles all technical setup and hands user a ready-to-use URL and token
- Previous export/analysis methods (JSON, CSV, AI-ready text) still supported, with updated instructions
v1.1.1
SECURITY: Removed hardcoded API URL. All endpoints now require user-configured VITAVAULT_API_URL environment variable.
v1.2.0
Added auto-sync with OpenClaw - query scripts, API docs, no Mac required
v1.1.0
Updated skill with full app integration details, export format docs, and analysis prompts
v1.0.0
Initial release: import VitaVault iOS health exports, query 48 health metrics, generate summaries and morning briefing blocks for OpenClaw agents
Metadata
Frequently Asked Questions
What is Vitavault?
VitaVault iOS app integration - sync Apple Health data directly to your AI agent. Auto-setup webhook, token generation, and HTTPS exposure. Works with any iP... It is an AI Agent Skill for Claude Code / OpenClaw, with 726 downloads so far.
How do I install Vitavault?
Run "/install vitavault" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Vitavault free?
Yes, Vitavault is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Vitavault support?
Vitavault is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Vitavault?
It is built and maintained by Brandon Stewart (@brandons7); the current version is v1.3.0.
More Skills