Is devpranoy/ultrahuman-openclaw safe?

https://github.com/openclaw/skills/tree/main/skills/devpranoy/ultrahuman-openclaw

89
SAFE

The ultrahuman-openclaw skill is a well-scoped health metrics integration with no prompt injection, no malicious code, and clean canary integrity. The Python script follows secure subprocess patterns and its credential reads are targeted and expected for OpenClaw integration. The primary risk is supply chain: the skill requires building an unaudited external MCP server (Monasterolo21/Ultrahuman-MCP) that receives authentication tokens and makes outbound API calls, which is outside the scope of this audit.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Unaudited external MCP server dependency -17

The skill's setup instructions direct users to clone and build https://github.com/Monasterolo21/Ultrahuman-MCP, an external repository that is not part of this audit. The built binary receives ULTRAHUMAN_AUTH_TOKEN and ULTRAHUMAN_USER_EMAIL as environment variables and makes outbound API calls to Ultrahuman servers. A compromised version of this dependency could exfiltrate credentials or health data.

LOW Python script reads ~/.openclaw/openclaw.json -13

The script opens the OpenClaw workspace config file to extract Ultrahuman credentials as a fallback when env vars are not set. While targeted, this file may contain other sensitive configuration beyond the two fields extracted.

LOW Script invokes external binary via subprocess -9

ultrahuman_summary.py calls mcporter via subprocess.run() with a config-file path and date argument. The mcporter binary's behavior is outside the scope of this audit. The subprocess call uses list form (not shell=True), so no shell injection is possible, but mcporter itself could behave maliciously.

INFO External GitHub network connection during install 0

Installation clones from github.com/openclaw/skills.git (140.82.121.3:443). This is expected and normal for the skills monorepo install mechanism.

INFO Sensitive health data processed in plaintext 0

The skill processes personal health metrics including sleep stages, HRV, RHR, and step counts. No exfiltration is observed, but users should be aware this data flows through the external mcporter/Ultrahuman-MCP stack before being summarized.