Is lainnet-42/apple-watch safe?

SKILL.md instructs the agent to register server.py as a Windows Scheduled Task with RunLevel Highest and an AtLogon trigger, or as a macOS LaunchAgent with RunAtLoad and KeepAlive set to true. This creates a privileged, auto-restarting background process that persists across reboots and survives agent session termination.

setup.py downloads the HealthyApps/health-auto-export-server GitHub repository via git clone or zip fetch and extracts it into the skill's upstream/ directory. This external codebase is not part of the audited skill and could be modified to include malicious content. Although the downloaded code is currently only used as a reference for Grafana dashboards, the download mechanism runs within the user's environment.

SKILL.md contains detailed instructions for the agent to write health-monitoring tasks into HEARTBEAT.md, including API key-bearing curl commands and conditional logic. This modifies the agent's recurring autonomous behavior outside the scope of any single user request, persisting health polling across all future heartbeat cycles.

The step_dashboard() function in setup.py generates dashboard.html containing the API key as a JavaScript literal: const KEY=. Any process that can read the file system—including other skills or malicious code—can extract this key and query the health data API without authentication.

The generated server.py runs Flask on host='0.0.0.0', making the health data API reachable from any device on the LAN. While an API key is required, the key is also embedded in dashboard.html and the phone automation template (base64-encoded). Any LAN device that obtains the key can query all stored biometric data.

ensure_flask() silently runs pip install flask using the system Python interpreter when Flask is not detected. This modifies the user's Python environment without an explicit consent prompt and could conflict with existing package versions.

SKILL.md instructs the agent to run lsof -ti:3001 | xargs kill -9 (macOS/Linux) or PowerShell equivalent before starting the server. This force-kills any process bound to port 3001 regardless of what it is, potentially terminating unrelated user services.

The setup flow explicitly tells the agent 'SEND THE FILE TO USER' when referring to .env.json (which contains the API key). While the intent is legitimate (user needs the key for phone configuration), this instruction pattern normalizes the agent relaying local credential files and could be abused in a modified version of the skill.

All health metrics (sleep analysis, heart rate, blood oxygen, HRV, etc.) are appended to JSONL files under data/metrics/ with no encryption. This data constitutes sensitive medical information and is retained indefinitely in plaintext on the user's filesystem.

Filesystem and auditd records show canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were opened at timestamps 1771918020 (pre-install) and 1771918037 (post-install). Process context (sudo/PAM authentication chains, oathe monitoring commands) and the canonical 'All canary files intact' result indicate these reads originated from the oathe audit infrastructure performing baseline and verification checks, not from the skill itself.

SKILL.md instructs the agent to send tutorial_imgs/step1.png, step2.png, and step3.png to the user, but no tutorial_imgs/ directory was installed. Agent attempts to send these files will fail silently or produce confusing error messages.