← Back to Skills Marketplace
filipe-m-almeida

health-sync

by Filipe Almeida · GitHub ↗ · v0.3.5
cross-platform ⚠ suspicious
1037
Downloads
0
Stars
2
Active Installs
11
Versions
Install in OpenClaw
/install health-sync
Description
Analyze synced health data across Oura, Withings, Hevy, Strava, WHOOP, and Eight Sleep.
README (SKILL.md)

Health Sync Analysis Skill

Purpose

This skill is dedicated to analyzing the user's health data across available providers:

  • Oura
  • Withings
  • Hevy
  • Strava
  • WHOOP
  • Eight Sleep

The main goal is to help the user understand trends, compare signals across providers, and find useful insights from their synced data.

Scope

Use this skill when the user asks questions such as:

  • How did I sleep last night?
  • How was my last workout?
  • How did my resting heart rate change during the year?
  • What trends are you seeing in my recovery, sleep, and training?
  • What useful insights or next steps should I focus on?

Setup Handling (Remote Bootstrap Only)

Setup is bot-led and remote-first. The only supported onboarding flow is:

  1. Bot runs npx health-sync init remote bootstrap.
  2. Bot sends user: npx health-sync init --remote \x3Cbootstrap-token>.
  3. User sends back encrypted archive.
  4. Bot runs npx health-sync init remote finish \x3Cref> \x3Carchive>.

For full operational instructions, always consult:

  • references/setup.md

Do not use or recommend legacy direct setup flows such as:

  1. health-sync init as the primary user instruction
  2. health-sync auth \x3Cprovider> as a standalone onboarding path

Those commands may still exist for maintenance/debugging, but they are not the setup flow this skill should guide.

Runtime And Data Disclosure (Mandatory)

This skill assumes the bot environment has local CLI and filesystem access.

  1. Required binary:
    • node
    • npm
    • npx
  2. Expected local working paths:
    • workspace/health-sync/health-sync.toml
    • workspace/health-sync/.health-sync.creds
    • workspace/health-sync/health.sqlite
  3. Sensitive-data handling:
    • Remote onboarding imports encrypted archives that contain provider credentials/tokens.
    • Finish flow writes decrypted secrets to local files on the bot host.
    • These files must be treated as sensitive at rest (access controls, backups, retention).
  4. Chat-safety boundary:
    • Never ask users to paste raw secrets in chat.
    • Only collect encrypted archive files via remote bootstrap flow.

Schema Handling

To understand data schemas and query correctly, read the provider reference files:

  • references/oura.md
  • references/withings.md
  • references/hevy.md
  • references/strava.md
  • references/whoop.md
  • references/eightsleep.md

Freshness Rule (Mandatory)

Before any analysis, always run:

npx health-sync sync

If sync fails, report the failure clearly and continue analysis only if the user explicitly asks to proceed with potentially stale data.

Analysis Workflow

  1. Run npx health-sync sync first.
  2. Identify the user question and which provider/resource(s) are relevant.
  3. Read the provider schema reference before forming SQL.
  4. Query records, sync_state, and sync_runs as needed.
  5. Produce a clear, user-friendly answer with concrete numbers and dates.
  6. Highlight meaningful patterns and offer practical guidance.
  7. When data quality or coverage is limited, say so explicitly.

Output Style

  • Be concise, clear, and practical.
  • Focus on useful interpretation, not just raw data dumps.
  • Connect metrics to actionable insights (sleep, recovery, training, consistency, etc.).
  • Ask follow-up questions only when necessary to improve analysis quality.
Usage Guidance
This skill looks internally consistent for analyzing synced health data, but it requires the bot to install a Node CLI and to receive, decrypt, and store provider credentials and a local SQLite cache. Before installing: 1) Confirm you trust the 'health-sync' npm package and its maintainer (check the package page, source repo, and release signatures if available). 2) Ensure the bot host is secure: limit file access, enforce backups/retention policies, and remove the credentials and DB when no longer needed. 3) Prefer the remote bootstrap encrypted-archive flow (the skill prohibits pasting secrets in chat); do not share raw API keys or client secrets in chat. 4) If you cannot trust the bot host or the package, run the onboarding and sync locally and only share non-sensitive exports for analysis.
Capability Analysis
Type: OpenClaw Skill Name: health-sync Version: 0.3.5 The skill is classified as suspicious due to the inherent risks associated with an AI agent generating and executing SQL queries based on user input, and its handling of sensitive user credentials. While the `SKILL.md` and `references/setup.md` documents outline a secure remote bootstrap process for credentials (encrypted archives, no pasting secrets in chat) and explicitly warn about treating local files like `workspace/health-sync/.health-sync.creds` as sensitive, the agent's instruction to 'form SQL' for analysis presents a significant vulnerability surface for prompt injection or SQL injection. The skill itself does not contain malicious code or instructions for harmful actions, but the powerful capabilities and potential for misuse via agent vulnerabilities warrant a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The skill is an analyzer for health data and declares exactly the binaries (node, npm, npx), local config/datastore paths (health-sync.toml, .health-sync.creds, health.sqlite), and an npm package install for a 'health-sync' CLI; these are proportionate and expected for the stated purpose.
Instruction Scope
Runtime instructions require the agent to run npx health-sync commands, import a user-provided encrypted archive, decrypt it locally, and read/write the declared workspace files and SQLite DB. This is within scope for a data-sync/analysis tool, but it explicitly involves handling user provider credentials on the bot host (the SKILL.md warns about treating them as sensitive).
Install Mechanism
Install is via a Node package ('health-sync'), which is the expected mechanism for a Node-based CLI. Installing an npm package is a normal moderate-risk action (code from registry will run on the host); there are no opaque download URLs or extract steps in the spec.
Credentials
No unrelated environment variables are requested. The only required config paths are specific to health-sync (config, creds, sqlite cache), which are appropriate for a cross-provider health-data aggregator.
Persistence & Privilege
The skill does require the agent to store decrypted provider credentials and a SQLite cache on the bot host and to run syncs; always:false is set (no forced global inclusion). This persistence is functionally necessary but increases the impact if the host is compromised—SKILL.md itself emphasizes securing these files.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install health-sync
  3. After installation, invoke the skill by name or use /health-sync
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.3.5
# v0.3.5 ## Compare Range - v0.3.4..v0.3.5 ## Highlights - Fixed sync fsck consistency behavior across providers. - Fixed Hevy delta watermark parsing for updated events. - Added/expanded regression tests for sync state, provider watermarks, and stale-row handling. ## Diff Summary package-lock.json | 4 +- package.json | 2 +- release-notes/v0.3.1.md | 25 +++++ release-notes/v0.3.2.md | 39 ++++++++ release-notes/v0.3.3.md | 34 +++++++ release-notes/v0.3.4.md | 41 ++++++++ src/db.js | 197 ++++++++++++++++++++++++++++++++------- src/providers/hevy.js | 30 ++++-- src/providers/strava.js | 29 ++++-- src/providers/whoop.js | 29 ++++-- tests/db.test.js | 98 +++++++++++++++++++ tests/hevy-provider.test.js | 38 ++++++++ tests/provider-contracts.test.js | 2 +- tests/strava-provider.test.js | 70 +++++++++++++- tests/whoop-provider.test.js | 94 ++++++++++++++++++- 15 files changed, 667 insertions(+), 65 deletions(-) ## Changed Files - package-lock.json - package.json - release-notes/v0.3.1.md - release-notes/v0.3.2.md - release-notes/v0.3.3.md - release-notes/v0.3.4.md - src/db.js - src/providers/hevy.js - src/providers/strava.js - src/providers/whoop.js - tests/db.test.js - tests/hevy-provider.test.js - tests/provider-contracts.test.js - tests/strava-provider.test.js - tests/whoop-provider.test.js ## Full Changes - release: v0.3.5 (49d08d7) - Fix sync fsck consistency across providers (eadb00a) - Fix Hevy delta watermark parsing for updated events (e59df3c)
v0.3.4
# v0.3.4 ## Compare Range - v0.3.3..v0.3.4 ## Highlights - Fixed onboarding/auth behavior so providers are enabled only after successful setup, preventing unintended sync attempts for unconfigured providers. - Added regression coverage to ensure failed auth flows do not force-enable providers in config. - Improved auth UX by defaulting OAuth to browser callback capture and moving manual callback paste to explicit `--local` mode. ## Diff Summary README.md | 4 +++- package-lock.json | 4 ++-- package.json | 2 +- src/auth-onboarding.js | 39 ++++++++++++++++++++++++++++++---- src/cli.js | 20 ++++++++++++------ src/providers/oura.js | 1 + src/providers/strava.js | 1 + src/providers/whoop.js | 1 + src/providers/withings.js | 1 + src/util.js | 5 +++-- tests/cli.test.js | 54 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 116 insertions(+), 16 deletions(-) ## Changed Files - README.md - package-lock.json - package.json - src/auth-onboarding.js - src/cli.js - src/providers/oura.js - src/providers/strava.js - src/providers/whoop.js - src/providers/withings.js - src/util.js - tests/cli.test.js ## Full Changes - release: v0.3.4 (5dc3d4d) - fix(init): only enable providers after successful setup (a70973a) - auth: default to browser callback and add --local manual mode (90cce78)
v0.3.3
# v0.3.3 ## Compare Range - v0.3.2..v0.3.3 ## Highlights - Added clearer remote bootstrap documentation, including a threat model and improved setup guidance. - Updated the health-sync skill docs to better guide remote setup and onboarding workflows. - Moved the release runbook from `AGENTS.md` to `docs/release.md` and simplified `AGENTS.md` to a release pointer. ## Diff Summary AGENTS.md | 118 +----------------------- clawhub/skills/health-sync/SKILL.md | 49 ++++++++-- clawhub/skills/health-sync/references/setup.md | 75 ++++++++++++---- docs/release.md | 119 +++++++++++++++++++++++++ docs/remote-bootstrap.md | 77 ++++++++++++++++ package-lock.json | 4 +- package.json | 2 +- 7 files changed, 300 insertions(+), 144 deletions(-) ## Changed Files - AGENTS.md - clawhub/skills/health-sync/SKILL.md - clawhub/skills/health-sync/references/setup.md - docs/release.md - docs/remote-bootstrap.md - package-lock.json - package.json ## Full Changes - release: v0.3.3 (178f98a) - docs: move release process to docs/release.md (0d7f09f) - docs(skill): guide remote setup via npx and npm prerequisites (4fd7502) - docs(security): add threat model to remote bootstrap design (f7f5154)
v0.3.2
# v0.3.2 ## Compare Range - v0.3.1..v0.3.2 ## Highlights - Added secure remote bootstrap onboarding with encrypted archive handoff (`init remote bootstrap/run/finish`) and one-time session consumption. - Added dedicated architecture and bot/operator runbook docs for remote onboarding. - Updated ClawHub skill guidance to use remote bootstrap as the only onboarding flow. ## Diff Summary README.md | 61 +++ clawhub/skills/health-sync/SKILL.md | 21 +- clawhub/skills/health-sync/references/setup.md | 347 ++++-------- docs/remote-bootstrap.md | 231 ++++++++ package-lock.json | 4 +- package.json | 2 +- src/cli.js | 347 +++++++++++- src/remote-bootstrap.js | 711 +++++++++++++++++++++++++ tests/cli.test.js | 90 ++++ tests/remote-bootstrap.test.js | 102 ++++ 10 files changed, 1666 insertions(+), 250 deletions(-) ## Changed Files - README.md - clawhub/skills/health-sync/SKILL.md - clawhub/skills/health-sync/references/setup.md - docs/remote-bootstrap.md - package-lock.json - package.json - src/cli.js - src/remote-bootstrap.js - tests/cli.test.js - tests/remote-bootstrap.test.js ## Full Changes - release: v0.3.2 (24dd5f4) - docs(clawhub): switch setup guidance to remote bootstrap flow (af15f04) - feat(init): add secure remote bootstrap onboarding flow (bc320ae)
v0.3.1
# v0.3.1 ## Compare Range - v0.3.0..v0.3.1 ## Highlights - Patch release focused on release workflow policy updates. - Release process now defaults to patch bumps. - Added a required confirmation step for both version number and release notes before publishing. ## Diff Summary AGENTS.md | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ package-lock.json | 4 +- package.json | 2 +- 3 files changed, 124 insertions(+), 3 deletions(-) ## Changed Files - AGENTS.md - package-lock.json - package.json ## Full Changes - release: v0.3.1 (1216738) - docs: default releases to patch and confirm version before publish (d34702f) - docs: add release process guide to AGENTS.md (287434b)
v0.3.0
Release v0.3.0
v0.2.5
Release v0.2.5
v0.2.4
- Fixed minor typo in the description by updating provider names for clarity. - No changes to skill functionality or workflow.
v0.2.3
Require health-sync sync before analysis; improve trigger frontmatter
v0.2.2
Simplify skill description
v0.2.1
Clarify Node setup and OAuth credential/callback guidance
Metadata
Slug health-sync
Version 0.3.5
License
All-time Installs 2
Active Installs 2
Total Versions 11
Frequently Asked Questions

What is health-sync?

Analyze synced health data across Oura, Withings, Hevy, Strava, WHOOP, and Eight Sleep. It is an AI Agent Skill for Claude Code / OpenClaw, with 1037 downloads so far.

How do I install health-sync?

Run "/install health-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is health-sync free?

Yes, health-sync is completely free (open-source). You can download, install and use it at no cost.

Which platforms does health-sync support?

health-sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created health-sync?

It is built and maintained by Filipe Almeida (@filipe-m-almeida); the current version is v0.3.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 Comments