Safety Report

healthcheck

Name: healthcheck
Rating: 3 (5 reviews)
Author: Stellarhold170NT

@Stellarhold170NT

Track water and sleep with JSON file storage

11,238Downloads

531Installs

5Stars

3Versions

Search & Retrieval2,116 File Management2,100 Cloud Storage1,005

Security Analysis

medium confidence

Suspicious0.04 risk

Skill's stated purpose (local JSON health tracking) matches its instructions, but there are inconsistencies and a command-injection risk from the one-line node -e shells and an undeclared Node runtime requirement.

Feb 11, 20261 files2 concerns

Purpose & Capabilitynote

The SKILL.md implements a simple local JSON-based water/sleep tracker, which matches the name and description. However, the runtime commands require Node.js (node -e) but the skill declares no required binaries; that mismatch should be resolved or documented.

Instruction Scopeconcern

Instructions only read/write {baseDir}/health-data.json (in-scope), but they instruct running inline node -e one-liners where the agent is expected to substitute user values (CUPS, NEW_CUPS). If those substitutions are not strictly validated/parsed as numbers, an attacker-controlled input could lead to shell/JS code injection or unintended filesystem writes. The SKILL.md does not include any sanitization or parsing guidance beyond 'replace CUPS with number'.

Install Mechanismok

No install spec (instruction-only), so nothing is written to disk at install time. This is low-risk, but runtime does depend on Node.js being available (not declared).

Credentialsok

No environment variables, credentials, or config paths are requested — appropriate for a local JSON tracker.

Persistence & Privilegeok

always:false and standard autonomous invocation allowed. The skill does not request persistent platform-wide privileges or modify other skills' configs.

Guidance

This skill appears to do what it says (local JSON health tracking), but you should check a few things before installing or enabling it: - Ensure the agent/platform will run these commands with Node.js available; the skill fails silently if node is missing even though it doesn't declare node as a required binary. - Verify how the agent substitutes user input (CUPS, NEW_CUPS). Inputs must be parsed/validated as numbers before being inserted into the one-line node -e commands to avoid JS/shell injection. Prefer numeric parsing rather than raw string substitution. - Confirm what {baseDir} resolves to and that the skill is restricted to that directory; otherwise the one-liners could read/write unexpected paths. - If you need stronger safety, ask the maintainer to provide safer code (e.g., a small script file that accepts sanitized arguments) or to declare Node as a required binary and include explicit input-sanitization steps in SKILL.md. Given the injection risk and the undeclared Node dependency, treat this skill as suspicious until those issues are clarified or fixed.

Latest Release

v1.0.2

- Renamed skill from "health-tracker" to "healthcheck" - Simplified and rewrote documentation for conciseness and clarity - Shortened all Node.js one-liners for recording and managing water and sleep data - Updated data format: renamed fields (e.g., "timestamp" → "time"), edited usage examples - Removed metadata and some advanced examples (e.g., reminders, detailed stats) - Focused on essential file operations: add, update, delete, and stats for water/sleep records

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @Stellarhold170NT on ClawHub