Safety Report

Nori Health

Name: Nori Health
Rating: 5 (2 reviews)
Author: danmurphy1217

Query your personal health data from wearables and nutrition logs and get AI coaching on sleep, workouts, heart rate, recovery, and health insights.

224Downloads

0Installs

2Stars

7Versions

Database Management1,222 Healthcare460

Security Analysis

high confidence

Clean0.08 risk

The skill is internally consistent with its stated purpose (relaying user health queries to the Nori API) and requires a single Nori API key; the primary residual risk is privacy of sensitive health data and a minor metadata mismatch in the registry.

Feb 21, 20261 files2 concerns

Purpose & Capabilityok

The name/description (health coaching from wearables/nutrition) matches the runtime instructions: messages are POSTed to https://api.nori.health with a Bearer NORI_API_KEY. The requirement for curl/jq and an API key is appropriate. Note: the registry metadata supplied earlier stated no required env vars, but SKILL.md declares NORI_API_KEY and required bins (curl, jq) — this mismatch may cause runtime confusion or deployment errors.

Instruction Scopenote

SKILL.md limits behavior to forwarding the user's message verbatim to Nori and returning Nori's reply verbatim. It does not instruct reading unrelated files or other credentials. Important privacy note: forwarding verbatim health data to an external service is expected for the skill but is inherently sensitive — the instructions also suggest storing the API key in ~/.openclaw/openclaw.json (plaintext), which raises local-secret storage risk.

Install Mechanismok

Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is a low-installation-risk configuration.

Credentialsnote

The only credential the instructions require is NORI_API_KEY, which is proportional to the stated API-forwarding purpose. The declared dependency on curl and jq is reasonable. However, the registry-level metadata earlier indicated no required env vars while the SKILL.md requires NORI_API_KEY — this inconsistency should be resolved before install. Also consider that the API key and sensitive health data are being transmitted to a third party, which is a significant privacy consideration even if technically proportional.

Persistence & Privilegeok

The skill does not request always:true or any elevated persistence or system-wide configuration changes. It only suggests storing a key in the agent's config (its own config), which is normal for API-based skills.

Guidance

This skill appears to do what it says: it relays your health-related messages to Nori's API and returns Nori's reply. Before installing: 1) Be sure you trust Nori (https://nori.health) and read its privacy policy — you're sending sensitive health data to an external service. 2) Verify the skill's source/owner if possible (registry shows an owner ID but no homepage in the top-level metadata); unknown source reduces trust. 3) Note the registry metadata mismatch: SKILL.md requires NORI_API_KEY and curl/jq but the registry entry earlier listed none — fix or verify this to avoid runtime failures. 4) Prefer storing the API key in a secure secrets store rather than in plaintext in ~/.openclaw/openclaw.json. 5) Consider limiting what you ask the skill (avoid sending identifiers, SSNs, or other non-essential sensitive data) and confirm Nori's data retention/sharing policies. If you need help validating the homepage, API domain, or privacy terms, verify those before enabling the skill.

Latest Release

v1.0.6

nori-health 1.0.6 - No file changes detected in this release.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @danmurphy1217 on ClawHub