Is cgtreadw/health-guardian safe?
https://github.com/openclaw/skills/tree/main/skills/cgtreadw/health-guardian
Health Guardian presents a coherent, legitimate use case for caregiver AI agents monitoring chronically ill or disabled individuals, with clean Python scripts, no malicious installation hooks, and no credential exfiltration observed during the install. The critical concern is the explicit Telegram alert channel that will transmit sensitive medical metrics to an external cloud service — a behavior directly contradicted by the skill's 'No cloud. No telemetry.' privacy claim, which is a factual misrepresentation. Combined with a missing auditable script (summary.py), a permanent hourly cron execution footprint, and the exceptional sensitivity of medical data for the disability population this skill targets, installation requires careful review and explicit Telegram configuration verification before deployment.
Category Scores
Findings (10)
HIGH Telegram alert channel transmits sensitive health data to external cloud service -25 ▶
The skill is explicitly configured to send health alerts via Telegram, a third-party cloud messaging service. This directly and materially contradicts the SKILL.md Data Storage section claim: 'Privacy: Nothing leaves your machine. No cloud. No telemetry.' Medical metrics including heart rate, temperature, SpO2, blood pressure, and sleep patterns will be transmitted to Telegram servers whenever anomalies are detected. The recipient channel/bot is user-controlled, but the author's willingness to publish a contradictory privacy claim is a trust signal failure.
MEDIUM summary.py referenced in documentation but absent from repository -10 ▶
SKILL.md documents a third script (scripts/summary.py) used for generating human-readable health summaries, instructing users to run it as a regular workflow step. This file is not present in the repository. Its data handling, network calls, output format, and any external transmission behavior cannot be audited. This constitutes an incomplete code submission where a user-facing script is undiscoverable for security review.
MEDIUM Contradictory privacy claim undermines author trust -5 ▶
The explicit and prominent 'No cloud. No telemetry.' claim in SKILL.md is factually incorrect given the Telegram integration in the default config. Whether intentional deception or careless documentation, a skill handling medical data for users with disabilities that makes false privacy guarantees warrants reduced trust in the author's other claims (e.g., 'battle-tested daily', data locality, no telemetry).
MEDIUM Persistent hourly cron execution and HEARTBEAT.md integration creates indefinite execution surface -15 ▶
The skill instructs users to install an hourly cron job (expr: '0 * * * *') that executes import_health.py and runs anomaly detection continuously. It also requests integration into the agent's HEARTBEAT.md for ongoing health checking. Any malicious update to the skill's Python scripts would be executed automatically without re-review. This is a significantly larger execution footprint than a passive skill injected only on demand.
MEDIUM Missing summary.py prevents full codebase audit -10 ▶
With summary.py absent, approximately one-third of the skill's documented scripts cannot be reviewed for code execution risks including subprocess calls, network requests, or file system traversal. Users who follow the SKILL.md quickstart will encounter a missing script.
MEDIUM Highly sensitive medical data access for users with disabilities — high breach impact -20 ▶
The skill specifically targets caregiving for people with quadriplegia, spinal cord injuries, MS, and chronic conditions. It reads 39 health metrics including thermoregulation data, UTI pattern indicators, pressure injury risk signals, and medication inference patterns. For this population, health data exposure is not merely a privacy violation but could affect insurance, employment, caregiving arrangements, or physical safety. The skill's access to this data warrants commensurate caution about the author's trustworthiness.
LOW Telegram channel recipient is unauditable and user-configured -15 ▶
The actual Telegram bot token and chat ID to which health data is sent is a runtime configuration item outside this skill's code. A malicious deployment could send health alerts to an attacker-controlled Telegram channel. Users must independently verify the Telegram configuration points only to their own accounts.
LOW SIGALRM-based file timeout may interact with agent signal handling -5 ▶
import_health.py uses Python's signal.SIGALRM and signal.alarm() to timeout iCloud-locked file reads. This is functionally appropriate but non-standard. In an agent context where the host process may also use SIGALRM, this could cause unexpected signal masking or handler overwriting. The implementation does restore the original handler, reducing risk.
LOW Pre-clone connection to Canonical Ubuntu servers observed -10 ▶
A TLS connection to 91.189.91.49:443 (Canonical Ltd, Ubuntu update infrastructure) was active at 04:35:35, predating the skill clone by 6 seconds. This is consistent with background system package update activity (apt/snapd) unrelated to the skill. No data correlation to skill activity found.
INFO Canary credential files read during monitoring — attributed to audit framework -10 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened with CLOSE_NOWRITE (read-only) at 04:35:35 and 04:35:52. Both timestamps bracket the skill installation window (clone: 04:35:41, install complete: 04:35:47, analysis: 04:35:50–51). The pre-installation reads are consistent with the audit framework hashing canary files for baseline; the post-analysis reads are consistent with the final integrity verification pass. The canary integrity report confirms all files unmodified.