Is hisxo/withings-health safe?

https://github.com/openclaw/skills/tree/main/skills/hisxo/withings-health

92
SAFE

The withings-health skill is a well-scoped Withings API integration with clean SKILL.md instructions, no prompt injection patterns, and network activity confined to legitimate Withings endpoints. The wrapper.js uses only Node.js built-ins, has no install scripts, and all canary honeypot files remained intact with no exfiltration detected. Minor concerns are limited to plaintext storage of OAuth tokens in the skill directory and a version number inconsistency between SKILL.md and the published registry metadata.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (5)

LOW OAuth tokens stored in plaintext JSON file -8

The saveTokens() function writes access_token, refresh_token, and expiry metadata to tokens.json inside the skill directory with no encryption. Any process or skill with read access to the skill directory can obtain valid Withings OAuth tokens.

LOW Plaintext credential files accessible to co-installed skills -8

Both the .env file (containing CLIENT_ID and CLIENT_SECRET) and tokens.json (containing live OAuth tokens) reside in the skill directory. A malicious co-installed skill with filesystem read capability could harvest these credentials and impersonate the user's Withings account.

INFO Version inconsistency between SKILL.md and _meta.json -3

SKILL.md declares version 1.1.0 while _meta.json records the latest published version as 1.0.1. This suggests the skill may have been locally modified after publication or the registry metadata was not updated. Not a security risk but reduces auditability.

INFO Skill reads .env from its own directory -2

On startup, wrapper.js checks for and reads a .env file in the skill's installation directory to load WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET. This behavior is explicitly documented in SKILL.md and is confined to the skill's own directory (not the user's home directory).

INFO {baseDir} template variable in skill instructions -2

SKILL.md uses {baseDir} as a placeholder for the agent to substitute the actual skill installation path when constructing node commands. This is a standard template pattern and does not represent an injection vector under normal agent behavior.