功能描述

Streams Apple Health data via a local webhook server to enable AI analysis, recovery scores, anomaly alerts, and health trend queries.

使用说明 (SKILL.md)

HealthClaw Skill

Name: Skill
Author: crxiaobailiu-gif

Connect your iPhone/Apple Watch health data to OpenClaw for AI-powered analysis.

HealthClaw streams Apple Health data (heart rate, HRV, sleep, steps, workouts) to your OpenClaw agent via a local webhook server. Once connected, your agent can calculate recovery scores, detect health anomalies, answer questions about your health trends, and proactively alert you when something looks off.

How It Works

iPhone / Apple Watch
        ↓  (HealthKit → background sync)
  iOS App (HealthClaw)
        ↓  (HTTPS POST)
  Webhook Server  ←  npx healthclaw-webhook-server
        ↓
  health-data.jsonl  (append-only log)
        ↓
  OpenClaw Agent  (queries, crons, alerts)

Key concepts

Concept	Description
Pairing	One-time setup: server issues a time-limited token (2 min), iOS app scans or opens the deep-link, exchanges it for a permanent API token stored securely on the server
Data sync	iOS app POSTs individual records to `/api/health-sync` or bulk batches to `/api/health-sync/batch`. Each record contains a `type`, `value`, `unit`, `startDate`, `endDate`, and optional `metadata`
Deduplication	Every record gets a deterministic ID from `(type, startDate, endDate, value)`. The server keeps a SQLite dedupe index — re-syncing the same data is always safe, duplicates are silently dropped
Storage	All data is appended to `health-data.jsonl` in a platform-appropriate user directory (`~/Library/Application Support/healthclaw-webhook` on macOS)

Setup

1. Start the webhook server

npx healthclaw-webhook-server

The server starts on port 3000 by default. Keep it running (consider a LaunchAgent / systemd service for persistence).

Optional environment variables:

PORT=3000                         # Server port
HEALTHCLAW_DATA_DIR=~/custom/path # Override data directory
ADMIN_TOKEN=your-secret           # Protect admin endpoints

2. Expose to the internet (for iOS sync)

The iOS app needs to reach your server from outside your local network.

Option A: Tailscale Funnel (recommended)

Tailscale Funnel gives your machine a stable public HTTPS URL tied to your Tailscale domain — no dynamic DNS, no port forwarding needed.

# 1. Install Tailscale and log in (skip if already done)
#    https://tailscale.com/download
tailscale login

# 2. Enable Funnel for port 3000
tailscale funnel --bg 3000

Your public URL will be:

https://\x3Cmachine-name>.\x3Ctailnet-name>.ts.net

To find it:

tailscale funnel status
# or
tailscale status --json | grep DNSName

Note: Funnel runs in the background (--bg). It persists across reboots. To stop it: tailscale funnel --bg --off

Option B: Cloudflare Tunnel

# Install cloudflared: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
cloudflared tunnel --url http://localhost:3000
# Cloudflare prints a randomly-assigned https://xxxxx.trycloudflare.com URL

URLs are ephemeral — you'll need to re-pair the iOS app each time you restart the tunnel.

Option C: ngrok

ngrok http 3000
# ngrok prints a https://xxxxx.ngrok-free.app URL

Same caveat as Cloudflare — URL changes on restart unless you have a paid plan.

Note your public URL — you'll need it in the next step when generating the pairing link.

3. Generate a pairing link

curl -X POST https://your-public-url/admin/generate-pairing

Response:

{
  "pairingToken": "abc123...",
  "deepLink": "healthclaw://pair?url=...&token=...",
  "openUrl": "https://your-public-url/pair/open?token=...",
  "expiresInSeconds": 120
}

Open openUrl on your iPhone, or paste deepLink into Safari. The page has a button that opens the HealthClaw app directly.

Token expires in 2 minutes. If it expires, run the curl command again.

4. Install the iOS app

The HealthClaw iOS companion app handles background HealthKit syncing.

Current status: App is pending App Store review.

TestFlight (beta): \x3Chttps://testflight.apple.com/join/SXDjT6vC>

Once installed, open the app and follow the pairing flow. After pairing, the app will sync data automatically in the background — no need to keep it open.

5. Verify the connection

curl https://your-public-url/health
# → { "status": "ok", "paired": true, ... }

Check that data is flowing:

tail -f ~/Library/Application\ Support/healthclaw-webhook/health-data.jsonl

Data Format

Each line in health-data.jsonl is a JSON record:

{
  "type": "HeartRate",
  "value": 62,
  "unit": "count/min",
  "startDate": "2025-01-15T07:32:00Z",
  "endDate": "2025-01-15T07:32:00Z",
  "metadata": { "context": "resting" }
}

Common types: HeartRate, RestingHeartRate, HeartRateVariabilitySDNN, StepCount, SleepAnalysis, ActiveEnergyBurned, DistanceWalkingRunning, and more.

Use Cases

Example	Description
Recovery Score	Daily HRV + RHR + sleep score with cron job setup
Health Alerts	Proactive anomaly detection with configurable thresholds

Multi-User Setup

By default, the server runs in single-user (legacy) mode. To support multiple users (e.g. family members, clients), create users via the Admin API. Each user gets an isolated data directory — no data mixing between users.

Create a user

curl -X POST https://your-public-url/admin/users \
  -H "Content-Type: application/json" \
  -H "x-admin-token: your-secret" \
  -d '{"name": "alice"}'

Response (token is shown once only — save it):

{
  "userId": "usr_a1b2c3d4",
  "token": "64-char-hex-token...",
  "name": "alice",
  "createdAt": "2026-03-14T12:00:00.000Z"
}

List users

curl https://your-public-url/admin/users \
  -H "x-admin-token: your-secret"

Returns [{ userId, name, createdAt }] — tokens are never included in list responses.

Using the token

The returned token is the API key the iOS app uses for syncing. Set it as the x-api-token header when pairing or syncing. Each user's data is automatically routed to their own directory:

{appDataRoot}/users/{userId}/health-data.jsonl
{appDataRoot}/users/{userId}/dedupe.db

Legacy compatibility

The existing single-device permanent token continues to work. Its data stays at the original path ({appDataRoot}/health-data.jsonl). No migration is needed — both modes work side by side.

Reading per-user data (OpenClaw skill integration)

When querying health data for a specific user, read from their per-user path:

# Single (legacy) user — default path
cat ~/Library/Application\ Support/healthclaw-webhook/health-data.jsonl

# Multi-user — per-user path
cat ~/Library/Application\ Support/healthclaw-webhook/users/usr_a1b2c3d4/health-data.jsonl

API Reference

Full API spec: webhook-server/docs/API_SPEC.md

Key endpoints:

GET /health — server status + pairing state
POST /admin/generate-pairing — create a new pairing link
POST /api/pair?token=\x3Ctoken> — complete device pairing (called by iOS app)
POST /api/health-sync — ingest a single record
POST /api/health-sync/batch — ingest up to 5000 records in one request
POST /admin/users — create a new user (returns token once)
GET /admin/users — list all users (no tokens)
GET /admin/device-info — check paired device metadata

安全使用建议

Key things to consider before installing: - Sensitive data: this skill collects and stores Apple Health data (PHI). Only run it if you accept storing those records locally and exposing a network endpoint. - Verify the server package before running: SKILL.md tells you to run `npx healthclaw-webhook-server` (dynamic download/execution). Inspect and pin the npm package (or build from the referenced GitHub repo) before running to avoid executing unexpected code. - Provide and protect admin and notification credentials: SKILL.md uses ADMIN_TOKEN and expects Discord notifications but the manifest doesn't declare these. Decide how you will supply an admin token and how notifications will authenticate (Discord webhook/token) and store those secrets safely. - Prefer a private tunnel: if you must expose the server, prefer Tailscale Funnel or a vetted Cloudflare Tunnel, restrict access, and avoid making the endpoint publicly discoverable. Use strong ADMIN_TOKEN, restrict allowed origins, and firewall unused ports. - Least privilege for notifications: create a dedicated Discord webhook/account with minimal permissions rather than exposing broad personal credentials. - Audit and sandbox: run the server in a constrained account or container, review logs, and limit where the health-data.jsonl file is stored and backed up. Rotate tokens if you suspect exposure. If you want a safer setup: obtain the server source (GitHub repo), review the code or build a pinned release, provide explicit env vars for tokens, and avoid public exposure unless absolutely necessary.

功能分析

Type: OpenClaw Skill Name: healthclaw-webhook Version: 1.0.0 The skill requires the user to run a local webhook server and explicitly encourages exposing it to the public internet using tools like Tailscale Funnel, Cloudflare Tunnel, or ngrok (SKILL.md). While these actions are aligned with the stated goal of syncing iOS health data, they significantly increase the host's attack surface. Additionally, the skill provides prompts for the AI agent to read local health data files and exfiltrate summaries to external platforms like Discord (health-alerts.md), which involves the handling and transmission of sensitive health-related PII/PHI.

能力评估

ℹ Purpose & Capability

The name, description, and SKILL.md consistently describe a self-hosted webhook to receive Apple Health data, compute recovery scores and alerts, and integrate with notification channels. Those capabilities are coherent with the instructions to run a local server and set up crons. However, the skill does not declare environment variables or credentials that the runtime instructions clearly require (e.g., ADMIN_TOKEN for admin endpoints and credentials/webhooks for Discord notifications), which is an omission that reduces coherence between 'what it says' and 'what it needs to work'.

⚠ Instruction Scope

The SKILL.md instructs the agent/user to run a webhook server via 'npx healthclaw-webhook-server', create public URLs (Tailscale/Cloudflare/ngrok), generate pairing tokens, create admin users, and write an append-only health-data.jsonl in the user's Application Support directory. These actions will collect and persist highly sensitive personal health data and expose an admin API over the network. The instructions also expect the agent to send alerts via Discord, but do not define how to provide the required notification credentials. The scope (reading/writing health data, issuing pairing tokens, exposing an admin API) is powerful and requires careful access controls; that scope is aligned with the stated purpose but the docs give broad discretion (expose to internet, persist tokens) without mandatory safety steps.

⚠ Install Mechanism

There is no install spec; instead SKILL.md recommends running 'npx healthclaw-webhook-server'. npx will fetch and execute code from the npm registry at run time, which is effectively a network download and remote code execution step. Because the registry package/source is not bundled or audited here, this raises risk: the agent/host will execute third-party code without an explicit, verifiable install artifact in the skill bundle. The skill.json homepage points to a GitHub repo (helpful), but the skill metadata does not pin or vendor the server binary, nor does it instruct users to inspect or pin the package version before running.

⚠ Credentials

The skill.json declares no required env vars, and requires.env is empty, but the SKILL.md references optional and configuration environment variables (PORT, HEALTHCLAW_DATA_DIR, ADMIN_TOKEN) as well as many ALERT_* and RECOVERY_* variables and expects notification through Discord. The runtime instructions implicitly require admin tokens and notification credentials (or webhooks) that are not declared by the skill manifest. The omission makes it unclear what secrets the agent will need and where they should be provided; asking the agent to send messages (Discord) without declaring the credential is a meaningful mismatch.

ℹ Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills' configurations. It does instruct running a long-running service (suggests LaunchAgent/systemd) and adding cron jobs that run automatically and can send alerts externally. Autonomous agent invocation (default) combined with scheduled crons means the agent can periodically process and transmit sensitive data — this is expected for the use case but increases privacy risk. No special platform privileges are requested in the manifest.

版本历史

v1.0.0

Initial release of HealthClaw, enabling iPhone/Apple Watch health data streaming to OpenClaw via local webhook. - Streams Apple Health data (heart rate, HRV, sleep, steps, workouts) to OpenClaw agents for analysis and alerts. - Supports secure, token-based pairing between your iOS device and the webhook server. - Provides data deduplication, append-only storage, and flexible background syncing. - Setup instructions for secure remote access using Tailscale, Cloudflare, or ngrok. - Multi-user support: isolate health data for different users or devices. - Full API documentation for pairing, syncing, admin functions, and health queries.

元数据

Slug healthclaw-webhook

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Skill 是什么？

Streams Apple Health data via a local webhook server to enable AI analysis, recovery scores, anomaly alerts, and health trend queries. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 127 次。

如何安装 Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install healthclaw-webhook」即可一键安装，无需额外配置。

Skill 是免费的吗？

是的，Skill 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Skill 支持哪些平台？

Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Skill？

由 crxiaobailiu-gif（@crxiaobailiu-gif）开发并维护，当前版本 v1.0.0。

Skill