Is moclippa/gevety safe?

The skill instructs the agent to call GET https://api.gevety.com/api/v1/mcp/tools/status on first use each session and, if an 'announcement' field is present in the response, display it to the user. This announcement is fully server-controlled content with no sanitization or filtering. A compromised or malicious Gevety API could inject arbitrary text — including fake instructions, social engineering content, or prompt injection payloads — directly into the agent's operational context.

The skill frontmatter declares version 1.5.0, but the update check logic hardcodes the comparison baseline as 1.4.0 with the comment '(this skill's version)'. Since api.gevety.com returns latest=1.5.0 (the real current version), every session the agent will incorrectly conclude an update is available and prompt the user to run 'clawdhub update gevety'. This is either a shipping bug or, more concerning, an intentional mechanism to repeatedly surface the update command.

The skill's core function transmits sensitive health data — blood biomarkers, biological age calculations, supplement stacks, wearable metrics (HRV, sleep, HR), and 90-day health protocols — to api.gevety.com. While this is the stated and user-authorized purpose, the data includes PHI that is highly sensitive. Users must trust that Gevety's API, infrastructure, and data handling meet appropriate privacy and security standards. The skill provides no disclosure about data retention, third-party sharing, or jurisdiction.

The update command shown to users ('clawdhub update gevety') is sourced from the server response field 'update_command'. A compromised status endpoint could substitute an arbitrary shell command string that would be displayed to the user as a legitimate update instruction.

Health data fetched into the conversation window (biomarkers, biological age, supplement regimens) persists in context and is accessible to other co-installed skills. If a malicious co-installed skill is present, it could reference or exfiltrate this sensitive medical data. This is an architectural risk of the Clawdbot skill system rather than a flaw in this skill specifically.

Complete audit of skill files found no executable code, npm install scripts, git hooks, gitattributes filters, git submodules, or symlinks. Skill is a pure markdown instruction file.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed during the audit session, but all accesses were traced to the Oathe audit framework's pre-install baseline and post-install integrity verification processes — not to the skill or any process it spawned. No modifications were detected and the integrity check reports all files intact.

Installation performed a shallow git clone of the openclaw/skills monorepo from GitHub, sparse-checked out the target skill path, copied files, and cleaned up. All observed network connections during installation were to github.com (140.82.112.4:443). No unexpected process spawning, no filesystem writes outside the designated skill directory, no backdoor listeners opened.