← 返回 Skills 市场
filipe-m-almeida

health-sync

作者 Filipe Almeida · GitHub ↗ · v0.3.5
cross-platform ⚠ suspicious
1037
总下载
0
收藏
2
当前安装
11
版本数
在 OpenClaw 中安装
/install health-sync
功能描述
Analyze synced health data across Oura, Withings, Hevy, Strava, WHOOP, and Eight Sleep.
使用说明 (SKILL.md)

Health Sync Analysis Skill

Purpose

This skill is dedicated to analyzing the user's health data across available providers:

  • Oura
  • Withings
  • Hevy
  • Strava
  • WHOOP
  • Eight Sleep

The main goal is to help the user understand trends, compare signals across providers, and find useful insights from their synced data.

Scope

Use this skill when the user asks questions such as:

  • How did I sleep last night?
  • How was my last workout?
  • How did my resting heart rate change during the year?
  • What trends are you seeing in my recovery, sleep, and training?
  • What useful insights or next steps should I focus on?

Setup Handling (Remote Bootstrap Only)

Setup is bot-led and remote-first. The only supported onboarding flow is:

  1. Bot runs npx health-sync init remote bootstrap.
  2. Bot sends user: npx health-sync init --remote \x3Cbootstrap-token>.
  3. User sends back encrypted archive.
  4. Bot runs npx health-sync init remote finish \x3Cref> \x3Carchive>.

For full operational instructions, always consult:

  • references/setup.md

Do not use or recommend legacy direct setup flows such as:

  1. health-sync init as the primary user instruction
  2. health-sync auth \x3Cprovider> as a standalone onboarding path

Those commands may still exist for maintenance/debugging, but they are not the setup flow this skill should guide.

Runtime And Data Disclosure (Mandatory)

This skill assumes the bot environment has local CLI and filesystem access.

  1. Required binary:
    • node
    • npm
    • npx
  2. Expected local working paths:
    • workspace/health-sync/health-sync.toml
    • workspace/health-sync/.health-sync.creds
    • workspace/health-sync/health.sqlite
  3. Sensitive-data handling:
    • Remote onboarding imports encrypted archives that contain provider credentials/tokens.
    • Finish flow writes decrypted secrets to local files on the bot host.
    • These files must be treated as sensitive at rest (access controls, backups, retention).
  4. Chat-safety boundary:
    • Never ask users to paste raw secrets in chat.
    • Only collect encrypted archive files via remote bootstrap flow.

Schema Handling

To understand data schemas and query correctly, read the provider reference files:

  • references/oura.md
  • references/withings.md
  • references/hevy.md
  • references/strava.md
  • references/whoop.md
  • references/eightsleep.md

Freshness Rule (Mandatory)

Before any analysis, always run:

npx health-sync sync

If sync fails, report the failure clearly and continue analysis only if the user explicitly asks to proceed with potentially stale data.

Analysis Workflow

  1. Run npx health-sync sync first.
  2. Identify the user question and which provider/resource(s) are relevant.
  3. Read the provider schema reference before forming SQL.
  4. Query records, sync_state, and sync_runs as needed.
  5. Produce a clear, user-friendly answer with concrete numbers and dates.
  6. Highlight meaningful patterns and offer practical guidance.
  7. When data quality or coverage is limited, say so explicitly.

Output Style

  • Be concise, clear, and practical.
  • Focus on useful interpretation, not just raw data dumps.
  • Connect metrics to actionable insights (sleep, recovery, training, consistency, etc.).
  • Ask follow-up questions only when necessary to improve analysis quality.
安全使用建议
This skill looks internally consistent for analyzing synced health data, but it requires the bot to install a Node CLI and to receive, decrypt, and store provider credentials and a local SQLite cache. Before installing: 1) Confirm you trust the 'health-sync' npm package and its maintainer (check the package page, source repo, and release signatures if available). 2) Ensure the bot host is secure: limit file access, enforce backups/retention policies, and remove the credentials and DB when no longer needed. 3) Prefer the remote bootstrap encrypted-archive flow (the skill prohibits pasting secrets in chat); do not share raw API keys or client secrets in chat. 4) If you cannot trust the bot host or the package, run the onboarding and sync locally and only share non-sensitive exports for analysis.
功能分析
Type: OpenClaw Skill Name: health-sync Version: 0.3.5 The skill is classified as suspicious due to the inherent risks associated with an AI agent generating and executing SQL queries based on user input, and its handling of sensitive user credentials. While the `SKILL.md` and `references/setup.md` documents outline a secure remote bootstrap process for credentials (encrypted archives, no pasting secrets in chat) and explicitly warn about treating local files like `workspace/health-sync/.health-sync.creds` as sensitive, the agent's instruction to 'form SQL' for analysis presents a significant vulnerability surface for prompt injection or SQL injection. The skill itself does not contain malicious code or instructions for harmful actions, but the powerful capabilities and potential for misuse via agent vulnerabilities warrant a 'suspicious' classification.
能力评估
Purpose & Capability
The skill is an analyzer for health data and declares exactly the binaries (node, npm, npx), local config/datastore paths (health-sync.toml, .health-sync.creds, health.sqlite), and an npm package install for a 'health-sync' CLI; these are proportionate and expected for the stated purpose.
Instruction Scope
Runtime instructions require the agent to run npx health-sync commands, import a user-provided encrypted archive, decrypt it locally, and read/write the declared workspace files and SQLite DB. This is within scope for a data-sync/analysis tool, but it explicitly involves handling user provider credentials on the bot host (the SKILL.md warns about treating them as sensitive).
Install Mechanism
Install is via a Node package ('health-sync'), which is the expected mechanism for a Node-based CLI. Installing an npm package is a normal moderate-risk action (code from registry will run on the host); there are no opaque download URLs or extract steps in the spec.
Credentials
No unrelated environment variables are requested. The only required config paths are specific to health-sync (config, creds, sqlite cache), which are appropriate for a cross-provider health-data aggregator.
Persistence & Privilege
The skill does require the agent to store decrypted provider credentials and a SQLite cache on the bot host and to run syncs; always:false is set (no forced global inclusion). This persistence is functionally necessary but increases the impact if the host is compromised—SKILL.md itself emphasizes securing these files.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install health-sync
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /health-sync 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.3.5
# v0.3.5 ## Compare Range - v0.3.4..v0.3.5 ## Highlights - Fixed sync fsck consistency behavior across providers. - Fixed Hevy delta watermark parsing for updated events. - Added/expanded regression tests for sync state, provider watermarks, and stale-row handling. ## Diff Summary package-lock.json | 4 +- package.json | 2 +- release-notes/v0.3.1.md | 25 +++++ release-notes/v0.3.2.md | 39 ++++++++ release-notes/v0.3.3.md | 34 +++++++ release-notes/v0.3.4.md | 41 ++++++++ src/db.js | 197 ++++++++++++++++++++++++++++++++------- src/providers/hevy.js | 30 ++++-- src/providers/strava.js | 29 ++++-- src/providers/whoop.js | 29 ++++-- tests/db.test.js | 98 +++++++++++++++++++ tests/hevy-provider.test.js | 38 ++++++++ tests/provider-contracts.test.js | 2 +- tests/strava-provider.test.js | 70 +++++++++++++- tests/whoop-provider.test.js | 94 ++++++++++++++++++- 15 files changed, 667 insertions(+), 65 deletions(-) ## Changed Files - package-lock.json - package.json - release-notes/v0.3.1.md - release-notes/v0.3.2.md - release-notes/v0.3.3.md - release-notes/v0.3.4.md - src/db.js - src/providers/hevy.js - src/providers/strava.js - src/providers/whoop.js - tests/db.test.js - tests/hevy-provider.test.js - tests/provider-contracts.test.js - tests/strava-provider.test.js - tests/whoop-provider.test.js ## Full Changes - release: v0.3.5 (49d08d7) - Fix sync fsck consistency across providers (eadb00a) - Fix Hevy delta watermark parsing for updated events (e59df3c)
v0.3.4
# v0.3.4 ## Compare Range - v0.3.3..v0.3.4 ## Highlights - Fixed onboarding/auth behavior so providers are enabled only after successful setup, preventing unintended sync attempts for unconfigured providers. - Added regression coverage to ensure failed auth flows do not force-enable providers in config. - Improved auth UX by defaulting OAuth to browser callback capture and moving manual callback paste to explicit `--local` mode. ## Diff Summary README.md | 4 +++- package-lock.json | 4 ++-- package.json | 2 +- src/auth-onboarding.js | 39 ++++++++++++++++++++++++++++++---- src/cli.js | 20 ++++++++++++------ src/providers/oura.js | 1 + src/providers/strava.js | 1 + src/providers/whoop.js | 1 + src/providers/withings.js | 1 + src/util.js | 5 +++-- tests/cli.test.js | 54 +++++++++++++++++++++++++++++++++++++++++++++++ 11 files changed, 116 insertions(+), 16 deletions(-) ## Changed Files - README.md - package-lock.json - package.json - src/auth-onboarding.js - src/cli.js - src/providers/oura.js - src/providers/strava.js - src/providers/whoop.js - src/providers/withings.js - src/util.js - tests/cli.test.js ## Full Changes - release: v0.3.4 (5dc3d4d) - fix(init): only enable providers after successful setup (a70973a) - auth: default to browser callback and add --local manual mode (90cce78)
v0.3.3
# v0.3.3 ## Compare Range - v0.3.2..v0.3.3 ## Highlights - Added clearer remote bootstrap documentation, including a threat model and improved setup guidance. - Updated the health-sync skill docs to better guide remote setup and onboarding workflows. - Moved the release runbook from `AGENTS.md` to `docs/release.md` and simplified `AGENTS.md` to a release pointer. ## Diff Summary AGENTS.md | 118 +----------------------- clawhub/skills/health-sync/SKILL.md | 49 ++++++++-- clawhub/skills/health-sync/references/setup.md | 75 ++++++++++++---- docs/release.md | 119 +++++++++++++++++++++++++ docs/remote-bootstrap.md | 77 ++++++++++++++++ package-lock.json | 4 +- package.json | 2 +- 7 files changed, 300 insertions(+), 144 deletions(-) ## Changed Files - AGENTS.md - clawhub/skills/health-sync/SKILL.md - clawhub/skills/health-sync/references/setup.md - docs/release.md - docs/remote-bootstrap.md - package-lock.json - package.json ## Full Changes - release: v0.3.3 (178f98a) - docs: move release process to docs/release.md (0d7f09f) - docs(skill): guide remote setup via npx and npm prerequisites (4fd7502) - docs(security): add threat model to remote bootstrap design (f7f5154)
v0.3.2
# v0.3.2 ## Compare Range - v0.3.1..v0.3.2 ## Highlights - Added secure remote bootstrap onboarding with encrypted archive handoff (`init remote bootstrap/run/finish`) and one-time session consumption. - Added dedicated architecture and bot/operator runbook docs for remote onboarding. - Updated ClawHub skill guidance to use remote bootstrap as the only onboarding flow. ## Diff Summary README.md | 61 +++ clawhub/skills/health-sync/SKILL.md | 21 +- clawhub/skills/health-sync/references/setup.md | 347 ++++-------- docs/remote-bootstrap.md | 231 ++++++++ package-lock.json | 4 +- package.json | 2 +- src/cli.js | 347 +++++++++++- src/remote-bootstrap.js | 711 +++++++++++++++++++++++++ tests/cli.test.js | 90 ++++ tests/remote-bootstrap.test.js | 102 ++++ 10 files changed, 1666 insertions(+), 250 deletions(-) ## Changed Files - README.md - clawhub/skills/health-sync/SKILL.md - clawhub/skills/health-sync/references/setup.md - docs/remote-bootstrap.md - package-lock.json - package.json - src/cli.js - src/remote-bootstrap.js - tests/cli.test.js - tests/remote-bootstrap.test.js ## Full Changes - release: v0.3.2 (24dd5f4) - docs(clawhub): switch setup guidance to remote bootstrap flow (af15f04) - feat(init): add secure remote bootstrap onboarding flow (bc320ae)
v0.3.1
# v0.3.1 ## Compare Range - v0.3.0..v0.3.1 ## Highlights - Patch release focused on release workflow policy updates. - Release process now defaults to patch bumps. - Added a required confirmation step for both version number and release notes before publishing. ## Diff Summary AGENTS.md | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ package-lock.json | 4 +- package.json | 2 +- 3 files changed, 124 insertions(+), 3 deletions(-) ## Changed Files - AGENTS.md - package-lock.json - package.json ## Full Changes - release: v0.3.1 (1216738) - docs: default releases to patch and confirm version before publish (d34702f) - docs: add release process guide to AGENTS.md (287434b)
v0.3.0
Release v0.3.0
v0.2.5
Release v0.2.5
v0.2.4
- Fixed minor typo in the description by updating provider names for clarity. - No changes to skill functionality or workflow.
v0.2.3
Require health-sync sync before analysis; improve trigger frontmatter
v0.2.2
Simplify skill description
v0.2.1
Clarify Node setup and OAuth credential/callback guidance
元数据
Slug health-sync
版本 0.3.5
许可证
累计安装 2
当前安装数 2
历史版本数 11
常见问题

health-sync 是什么?

Analyze synced health data across Oura, Withings, Hevy, Strava, WHOOP, and Eight Sleep. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1037 次。

如何安装 health-sync?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install health-sync」即可一键安装,无需额外配置。

health-sync 是免费的吗?

是的,health-sync 完全免费(开源免费),可自由下载、安装和使用。

health-sync 支持哪些平台?

health-sync 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 health-sync?

由 Filipe Almeida(@filipe-m-almeida)开发并维护,当前版本 v0.3.5。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论