← 返回 Skills 市场
Vitavault
作者
Brandon Stewart
· GitHub ↗
· v1.3.0
726
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install vitavault
功能描述
VitaVault iOS app integration - sync Apple Health data directly to your AI agent. Auto-setup webhook, token generation, and HTTPS exposure. Works with any iP...
安全使用建议
Before installing or running this skill, consider the following: 1) Health data is highly sensitive — exposing an HTTP(S) webhook to the public (even via tunnels) risks leakage if the sync token is misconfigured, leaked, or omitted. Ensure the VITAVAULT_SYNC_TOKEN is set, long, and stored securely. 2) The SKILL.md repeatedly promises "no middleman," but scripts/query.py requires a VITAVAULT_API_URL (a cloud API endpoint) — ask the developer what that cloud client is for and whether it will send or pull data from an external server. 3) The instructions create a systemd service and recommend sudo operations; only proceed if you trust the code and understand how to adjust file paths, service user, and firewall rules. 4) Prefer Tailscale Funnel or a private domain behind your own reverse proxy over public temporary tunnels for long-term use; temporary tunnels (ngrok, trycloudflare) are fine for short tests but not recommended for production health sync. 5) Review the shipped Python scripts yourself (or run them in an isolated VM/container) — the webhook code shown saves incoming payloads locally and does not call external endpoints, but the query client will contact whatever URL you set in VITAVAULT_API_URL. 6) If you accept the setup, perform an initial test with innocuous data, verify Authorization header enforcement, and restrict exposure (use firewall rules, Tailscale, or private domain). If you need more certainty, ask the skill author to explicitly document the cloud API behavior and to include a manifest of which components are optional (local webhook vs cloud client).
功能分析
Type: OpenClaw Skill
Name: vitavault
Version: 1.3.0
The skill is classified as suspicious due to a significant contradiction between its stated purpose and the functionality of `scripts/query.py`. The `SKILL.md` explicitly claims "No shared servers, no middleman - data flows phone to your agent only" and that data is saved "nowhere else" than the agent's host. However, `scripts/query.py` is designed to query a *remote* API (requiring `VITAVAULT_API_URL` environment variable) and is listed in `SKILL.md` under 'Querying Health Data' as if it operates on local data. This deceptive representation of external network activity, despite claims of local-only data handling, raises concerns about transparency and potential for undisclosed data interactions.
能力评估
Purpose & Capability
Most files (webhook.py, import.py, summary.py, briefing.py) align with the stated purpose of receiving and processing Apple Health data locally. However, scripts/query.py is written as a client for a VitaVault cloud API and requires VITAVAULT_API_URL — this conflicts with the SKILL.md's repeated claim of a direct phone→agent flow with "No shared servers, no middleman." The presence of both a local webhook receiver and a cloud-API client is plausible (optional features), but the mismatch is unexplained in the documentation and registry metadata.
Instruction Scope
The SKILL.md instructs the agent to generate tokens, run a background webhook, expose that webhook publicly (Tailscale Funnel, cloudflared, ngrok, or reverse proxy), and create/enable a systemd service. These steps touch system-level configuration, require sudo in places, and create a publicly reachable HTTPS endpoint that will receive sensitive health data — all of which are consistent with a webhook receiver but are high-impact operations and should only be done with explicit user consent and careful setup.
Install Mechanism
There is no automated install spec (no downloads or arbitrary archives). The skill ships Python scripts and an instruction-only setup flow; nothing writes arbitrary third-party binaries to disk. This is lower risk than an automated remote download/install, though running the provided commands will create files and services locally.
Credentials
The registry metadata declares no required env vars, but the shipped code and SKILL.md use VITAVAULT_SYNC_TOKEN (for webhook auth) and query.py requires VITAVAULT_API_URL (and optionally VITAVAULT_SYNC_TOKEN). The VITAVAULT_SYNC_TOKEN is proportional to the webhook purpose, but the required VITAVAULT_API_URL for the cloud query is not justified by SKILL.md's 'no middleman' claim. There are no unrelated credentials requested, but the public exposure instructions increase the risk of accidental data exposure if auth or tunnel configuration is misused.
Persistence & Privilege
The guide recommends creating a systemd service and enabling it with sudo, which grants persistent, system-level presence and a network-exposed listener. The skill does not set always: true, but the suggested systemd install is a persistent privilege and should be treated as a deliberate, high-impact change requiring the user's explicit approval and careful configuration (paths, token, user account, firewall).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vitavault - 安装完成后,直接呼叫该 Skill 的名称或使用
/vitavault触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
**VitaVault 1.3.0 – Major upgrade: Adds webhook-based Apple Health sync and auto-setup**
- New webhook receiver script for direct iPhone-to-agent health data sync (no Mac or shared servers required)
- Detailed, step-by-step agent setup guide to fully automate secure token generation, webhook launch, HTTPS exposure (Tailscale, Cloudflare, ngrok, or custom domain), and persistent service setup
- Data now syncs directly to your agent every time VitaVault opens, storing files locally for privacy
- Simplified user experience: agent handles all technical setup and hands user a ready-to-use URL and token
- Previous export/analysis methods (JSON, CSV, AI-ready text) still supported, with updated instructions
v1.1.1
SECURITY: Removed hardcoded API URL. All endpoints now require user-configured VITAVAULT_API_URL environment variable.
v1.2.0
Added auto-sync with OpenClaw - query scripts, API docs, no Mac required
v1.1.0
Updated skill with full app integration details, export format docs, and analysis prompts
v1.0.0
Initial release: import VitaVault iOS health exports, query 48 health metrics, generate summaries and morning briefing blocks for OpenClaw agents
元数据
常见问题
Vitavault 是什么?
VitaVault iOS app integration - sync Apple Health data directly to your AI agent. Auto-setup webhook, token generation, and HTTPS exposure. Works with any iP... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 726 次。
如何安装 Vitavault?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vitavault」即可一键安装,无需额外配置。
Vitavault 是免费的吗?
是的,Vitavault 完全免费(开源免费),可自由下载、安装和使用。
Vitavault 支持哪些平台?
Vitavault 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Vitavault?
由 Brandon Stewart(@brandons7)开发并维护,当前版本 v1.3.0。
推荐 Skills