Slug Test

Stream and sync iPhone/Apple Watch HealthKit data via a local webhook server for AI analysis, recovery scoring, and health anomaly alerts.

What to consider before installing or running this: - Provenance: The skill bundle provides no source repository, homepage, or code files; SKILL.md tells you to run `npx healthclaw-webhook-server` which will download and execute code from npm. Before running, find and review the package on npm/GitHub (package name and version), inspect its source, and verify an official author or release artifact. If you cannot verify the upstream source, do not run `npx` on a package handling sensitive health data. - Least privilege and protection: The instructions reference an ADMIN_TOKEN but do not require it. If you run the server, set a strong ADMIN_TOKEN and verify admin endpoints are actually protected. Default or missing admin credentials could allow strangers to pair devices or read users. - Network exposure: The skill recommends exposing your server via Tailscale Funnel / Cloudflare Tunnel / ngrok so an iPhone can reach it. Exposing health data to the public internet substantially increases risk. Prefer Tailscale (authenticated, zero-trust tailnet) over public tunnels; if you must use a tunnel, restrict access, use HTTPS, and rotate pairing tokens frequently. - Sandbox/testing: Run the server in a sandboxed environment (container, dedicated user account, VM) and not on a machine that holds other sensitive secrets. Check what files it writes and what ports it opens before trusting it with real health data. - Data handling: The server stores an append-only JSONL of health records. Ensure filesystem permissions are restricted, encrypt backups if needed, and regularly audit the file for unexpected recipients. Understand how the iOS companion stores/sends tokens. - Things that would increase confidence: a published source repo or GitHub release that you can audit, an official npm package with a known maintainer, checksums/signatures for binaries, or an App Store–published iOS companion app. If the maintainer provides these, re-run the assessment. Given the sensitivity of health data and the lack of provenance for the server code, treat this skill as suspicious until you can confirm the upstream package and review its code/configuration.

Type: OpenClaw Skill Name: slug-test Version: 0.0.1 The skill bundle (SKILL.md) instructs users to execute an external, unverified npm package (npx healthclaw-webhook-server) and expose their local environment to the public internet using tools like Tailscale Funnel or ngrok. While these actions are aligned with the stated goal of syncing iOS HealthKit data, they represent significant security risks including unvetted code execution and potential network exposure. Furthermore, _meta.json contains a future timestamp (2026) and a generic slug ('slug-test'), which are common indicators of low-quality or placeholder submissions.