← Back to Skills Marketplace

Slug Test

Name: Slug Test
Author: crxiaobailiu-gif

by crxiaobailiu-gif · GitHub ↗ · v0.0.1 · MIT-0

cross-platform ⚠ suspicious

252

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install slug-test

Description

Stream and sync iPhone/Apple Watch HealthKit data via a local webhook server for AI analysis, recovery scoring, and health anomaly alerts.

Usage Guidance

What to consider before installing or running this: - Provenance: The skill bundle provides no source repository, homepage, or code files; SKILL.md tells you to run `npx healthclaw-webhook-server` which will download and execute code from npm. Before running, find and review the package on npm/GitHub (package name and version), inspect its source, and verify an official author or release artifact. If you cannot verify the upstream source, do not run `npx` on a package handling sensitive health data. - Least privilege and protection: The instructions reference an ADMIN_TOKEN but do not require it. If you run the server, set a strong ADMIN_TOKEN and verify admin endpoints are actually protected. Default or missing admin credentials could allow strangers to pair devices or read users. - Network exposure: The skill recommends exposing your server via Tailscale Funnel / Cloudflare Tunnel / ngrok so an iPhone can reach it. Exposing health data to the public internet substantially increases risk. Prefer Tailscale (authenticated, zero-trust tailnet) over public tunnels; if you must use a tunnel, restrict access, use HTTPS, and rotate pairing tokens frequently. - Sandbox/testing: Run the server in a sandboxed environment (container, dedicated user account, VM) and not on a machine that holds other sensitive secrets. Check what files it writes and what ports it opens before trusting it with real health data. - Data handling: The server stores an append-only JSONL of health records. Ensure filesystem permissions are restricted, encrypt backups if needed, and regularly audit the file for unexpected recipients. Understand how the iOS companion stores/sends tokens. - Things that would increase confidence: a published source repo or GitHub release that you can audit, an official npm package with a known maintainer, checksums/signatures for binaries, or an App Store–published iOS companion app. If the maintainer provides these, re-run the assessment. Given the sensitivity of health data and the lack of provenance for the server code, treat this skill as suspicious until you can confirm the upstream package and review its code/configuration.

Capability Analysis

Type: OpenClaw Skill Name: slug-test Version: 0.0.1 The skill bundle (SKILL.md) instructs users to execute an external, unverified npm package (npx healthclaw-webhook-server) and expose their local environment to the public internet using tools like Tailscale Funnel or ngrok. While these actions are aligned with the stated goal of syncing iOS HealthKit data, they represent significant security risks including unvetted code execution and potential network exposure. Furthermore, _meta.json contains a future timestamp (2026) and a generic slug ('slug-test'), which are common indicators of low-quality or placeholder submissions.

Capability Assessment

ℹ Purpose & Capability

The name/description (stream Apple Health data to a local webhook for analysis) aligns with the SKILL.md flow (webhook server, pairing, health-data.jsonl storage). However, the metadata declares no required env vars or install steps while the runtime instructions reference optional env vars (PORT, HEALTHCLAW_DATA_DIR, ADMIN_TOKEN) and an npm package (healthclaw-webhook-server) — that mismatch is an inconsistency in declared requirements vs. runtime needs.

ℹ Instruction Scope

The SKILL.md stays on-topic (pairing, sync endpoints, storage, admin API). It does instruct you to expose the server to the public internet (Tailscale Funnel, Cloudflare Tunnel, ngrok) so your device can reach it and to run admin API calls (generate pairing, create users). Those steps are necessary for the stated purpose but increase the exposure of very sensitive health data; the instructions do not provide security defaults (e.g., require ADMIN_TOKEN) nor explicit guidance on safe configuration beyond optional tips.

⚠ Install Mechanism

There is no install spec in the registry entry; the instructions tell the user to run `npx healthclaw-webhook-server`, which will download and execute code from the npm registry at runtime. Because no source repository, homepage, release URL, or checksum is provided, there's no provenance or verification step for that code — this is a meaningful installation risk for arbitrary code execution.

ℹ Credentials

The skill metadata lists no required environment variables or credentials, but the SKILL.md references optional env vars (PORT, HEALTHCLAW_DATA_DIR, ADMIN_TOKEN) and recommends using third-party tunneling services (Tailscale/ngrok/cloudflared). The lack of declared env vars in the registry combined with runtime reliance on an ADMIN_TOKEN (for admin endpoints) is an inconsistency the user should be aware of. The skill does not request unrelated credentials, but it will require network and tunnel credentials in practice.

ℹ Persistence & Privilege

always:false and no code included in the skill bundle mean the skill itself doesn't demand permanent platform-level presence. However, the runtime use-case involves persistent local storage of sensitive health data (health-data.jsonl) and potential continuous services (LaunchAgent/systemd, Tailscale Funnel). Autonomous model invocation is allowed (platform default) — combine that with remote package execution and public exposure raises the blast radius.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install slug-test
After installation, invoke the skill by name or use /slug-test
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.0.1

HealthClaw Skill - Initial Release - Stream Apple Health data (heart rate, HRV, sleep, steps) from iPhone/Watch to OpenClaw via webhook server. - Reliable pairing flow with secure, time-limited token system for initial connection. - Automatic, background data sync with deduplication and append-only local storage. - Supports both single-user and new multi-user modes, with isolated data directories. - Offers easy setup guides for webhook hosting, public URL exposure (Tailscale, Cloudflare, ngrok), and pairing. - Includes API references for syncing, pairing, and user management.

Metadata

Slug slug-test

Version 0.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Slug Test?

Stream and sync iPhone/Apple Watch HealthKit data via a local webhook server for AI analysis, recovery scoring, and health anomaly alerts. It is an AI Agent Skill for Claude Code / OpenClaw, with 252 downloads so far.

How do I install Slug Test?

Run "/install slug-test" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Slug Test free?

Yes, Slug Test is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Slug Test support?

Slug Test is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Slug Test?

It is built and maintained by crxiaobailiu-gif (@crxiaobailiu-gif); the current version is v0.0.1.

More Skills