← 返回 Skills 市场
OpenClaw Health Brief
作者
NathanielWeiner
· GitHub ↗
· v1.0.0
1261
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-health-brief
功能描述
Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary.
安全使用建议
This skill's code implements the described functionality, but the manifest omitted important operational requirements. Before installing or enabling it:
- Assume this will read secrets from your 1Password vault (via the 'op' CLI) if available and from environment variables otherwise. The skill will persist rotated tokens to ~/.openclaw/secrets/health_tokens.json (it attempts chmod 600).
- The skill can also write back refresh tokens to 1Password, but only if you set OPENCLAW_1P_WRITEBACK=1 and have the 'op' CLI and OP_SERVICE_ACCOUNT_TOKEN available — don't enable that flag unless you trust the code and its environment.
- The registry metadata did not declare required binaries or env vars; you should verify and install the 'op' CLI yourself and provide only the minimum secrets needed. Consider using environment-only tokens or a dedicated vault/service-account with least privilege.
- Review core/util/secrets.py and core/util/local_secrets.py to confirm they behave as you expect (they call subprocess.run('op') and atomically write a JSON file).
- If you don't trust the code or the unknown source/owner, don't enable writeback and run the smoke test (./bin/smoke) in an isolated environment first. Ask the publisher for a canonical source repository or homepage before deploying it into production/automated cron jobs.
功能分析
Type: OpenClaw Skill
Name: openclaw-health-brief
Version: 1.0.0
This skill bundle is classified as benign. While it involves high-risk capabilities such as reading and writing sensitive OAuth tokens to 1Password (via `op` CLI) and a local file (`~/.openclaw/secrets/health_tokens.json`), and making network requests to external APIs (Oura, Whoop, Withings), these actions are explicitly stated in `SKILL.md` and `README.md`, are necessary for the skill's core functionality (fetching health data and persisting tokens for rotation), and are implemented with security considerations (e.g., opt-in 1Password writeback, `chmod 0o600` for local files). The prompt injection instructions in `SKILL.md` and `README.md` for the AI agent are functional, directing it to process and summarize the skill's output, without any evidence of malicious intent or attempts to manipulate the agent beyond its stated purpose.
能力评估
Purpose & Capability
The code matches the stated purpose (fetch Oura/WHOOP/Withings, normalize, render a brief). However the registry metadata declared no required env vars or binaries while the implementation expects the 1Password CLI ('op'), OP_SERVICE_ACCOUNT_TOKEN / OPENCLAW_1P_VAULT when using 1Password, and various provider tokens as env var fallbacks. The omission in the manifest is an inconsistency.
Instruction Scope
SKILL.md stays within the expected scope (authorize providers via OAuth, run reauth, run brief, add cron). It explicitly instructs storing tokens in 1Password and in a local file (~/.openclaw/secrets/health_tokens.json). The instructions do not appear to request unrelated system data, but they do direct the agent to open a browser for OAuth and to source an existing gateway.env in cron — both of which assume access to local environment and secrets.
Install Mechanism
There is no install spec (instruction-only), which reduces supply-chain footprint, but the package contains executable Python CLI code and expects external tooling (the 'op' CLI). The absence of an install step means the user is responsible for installing Python dependencies and the 'op' binary; this should have been declared.
Credentials
The skill will read and use many sensitive environment variables and external secrets (OP_SERVICE_ACCOUNT_TOKEN, OPENCLAW_1P_VAULT, WHOOP_*/OURA_*/WITHINGS_*). The registry lists none of these. The code also calls the 'op' CLI via subprocess to read (and optionally write) 1Password items — a high-privilege operation. WRITEBACK to 1Password is gated by OPENCLAW_1P_WRITEBACK=1, but that flag is not highlighted in the manifest. The local secrets file (~/.openclaw/secrets/health_tokens.json) is created and persisted (chmod 600 attempted). Because secrets are accessed and persisted, the declared requirements are insufficient and the requested privileges are more than the manifest implies.
Persistence & Privilege
The skill persists rotated tokens to a local JSON file (~/.openclaw/secrets/health_tokens.json) and will attempt 1Password writeback if OPENCLAW_1P_WRITEBACK=1 and 'op' is available. always:false and no special platform-wide modifications are requested. This is expected for an OAuth token-handling CLI, but it expands the blast radius if you enable 1Password writeback — exercise caution.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-health-brief - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-health-brief触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: WHOOP, Oura, Withings connectors with unified reauth, local token persistence, and OpenClaw cron integration
元数据
常见问题
OpenClaw Health Brief 是什么?
Generate a daily health brief from Oura, Whoop, and Withings. Unified re-auth script, local token persistence, Green/Yellow/Red morning summary. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1261 次。
如何安装 OpenClaw Health Brief?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-health-brief」即可一键安装,无需额外配置。
OpenClaw Health Brief 是免费的吗?
是的,OpenClaw Health Brief 完全免费(开源免费),可自由下载、安装和使用。
OpenClaw Health Brief 支持哪些平台?
OpenClaw Health Brief 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 OpenClaw Health Brief?
由 NathanielWeiner(@nathanielweiner)开发并维护,当前版本 v1.0.0。
推荐 Skills