← Back to Skills Marketplace
Withings Family
by
Oliver Drobnik
· GitHub ↗
· v1.1.2
2171
Downloads
1
Stars
2
Active Installs
8
Versions
Install in OpenClaw
/install withings-family
Description
Fetches health data from the Withings API for multiple family members including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use...
Usage Guidance
This skill appears to do exactly what it says: it needs your Withings developer Client ID/Secret and will store per-user OAuth tokens in ~/.openclaw/withings-family (legacy ~/.moltbot/withings-family). Before installing, consider: (1) only provide WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET if you trust the skill/source; (2) the scripts start a local callback server (localhost:18081) during OAuth — ensure that port is available and run the flow only on a trusted machine; (3) token files are written to your home directory and the code attempts to chmod them to 0600 — verify those files and revoke tokens in your Withings account if you stop using the skill; (4) the SKILL.md contains a minor doc mismatch (the oauth helper docstring mentions port 8080 but the script and README use 18081), which is non-malicious but worth noting; (5) because code is included in cleartext, you can and should review it yourself if you have concerns. Overall the requirements and behavior are proportionate to the skill's purpose.
Capability Analysis
Type: OpenClaw Skill
Name: withings-family
Version: 1.1.2
The OpenClaw Withings Family skill is benign. It securely handles OAuth authentication with Withings API, including robust user ID sanitization to prevent path traversal for token files, secure file permissions (0o600) for sensitive tokens, and CSRF protection using a 'state' parameter during the OAuth flow. All network communication is directed to legitimate Withings API endpoints, and there is no evidence of data exfiltration to unauthorized destinations, malicious command execution, persistence mechanisms, or prompt injection attempts in the SKILL.md documentation. The code's functionality is entirely aligned with its stated purpose of fetching health data.
Capability Assessment
Purpose & Capability
Name/description ask for Withings data and the package only requires python3 plus WITHINGS_CLIENT_ID/WITHINGS_CLIENT_SECRET. The scripts perform OAuth and call Withings endpoints (account.withings.com and wbsapi.withings.net), which is consistent with the stated purpose.
Instruction Scope
SKILL.md instructs running the included Python scripts and describes OAuth flows and token storage. The runtime instructions and the scripts' operations are narrowly scoped to authenticating and fetching Withings measurements; they only reference files under ~/.openclaw/withings-family (legacy ~/.moltbot/) and the declared env vars. No instructions ask the agent to read unrelated system files or transmit data to unknown endpoints.
Install Mechanism
No install spec — the skill is instruction + included scripts. Nothing is downloaded at install time and no external packages or arbitrary URLs are used. Risk from installation is low because code ships with the skill and no extraction from untrusted URLs occurs.
Credentials
Only two env vars are required: WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET. Those are the expected credentials for calling the Withings API. The scripts also optionally read a config.json from the skill directory under the user's home; this is proportional to storing credentials/config for the skill. No unrelated secrets or system credentials are requested.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills or global agent config, and only persists per-user token files under the user's home directory. It attempts to set restrictive permissions (0600) on token files. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install withings-family - After installation, invoke the skill by name or use
/withings-family - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.2
fix: use /Users/oliver/clawd for workspace root to preserve symlink paths
v1.1.1
Rename .clawdhubignore to .clawhubignore
v1.1.0
Refactor: move setup/prerequisites to SETUP.md, keep SKILL.md lean
v1.0.4
Replace .env loading with config.json fallback for client creds
v1.0.3
Security: sanitize user_id used in token file paths to prevent path traversal; tighten token file permissions.
v1.0.2
Prefer ~/.openclaw state dir (fallback to legacy ~/.moltbot).
v1.0.1
Doc fix: SKILL.md now references scripts/ paths only.
v1.0.0
Initial release (scripts live in skill/scripts).
Metadata
Frequently Asked Questions
What is Withings Family?
Fetches health data from the Withings API for multiple family members including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use... It is an AI Agent Skill for Claude Code / OpenClaw, with 2171 downloads so far.
How do I install Withings Family?
Run "/install withings-family" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Withings Family free?
Yes, Withings Family is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Withings Family support?
Withings Family is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Withings Family?
It is built and maintained by Oliver Drobnik (@odrobnik); the current version is v1.1.2.
More Skills