Fetches health data from the Withings API including weight, body composition (fat, muscle, bone, water), activity, and sleep. Use this skill when the user asks about their Withings data, weight history, body metrics, daily steps, sleep quality, or any health measurement from Withings devices.
Security Analysis
medium confidenceThe skill's requirements and runtime instructions match its stated purpose (fetching Withings data) and it only asks for the expected Withings client ID/secret and node runtime, but you should review the included wrapper.js to confirm how tokens and data are stored/transmitted before installing.
Name/description (Withings health data) align with required binaries (node) and required env vars (WITHINGS_CLIENT_ID, WITHINGS_CLIENT_SECRET). The commands in SKILL.md map to a local wrapper.js that would reasonably implement OAuth and API calls to Withings.
SKILL.md confines runtime actions to running wrapper.js for auth and data retrieval and explains the OAuth flow and expected outputs. It does not instruct reading unrelated files or asking for unrelated credentials. It suggests creating a local .env file and using localhost callback URL for OAuth, which is typical for developer apps.
There is no install spec (instruction-only) and the skill includes a local wrapper.js file; no external downloads or package installs are requested. Risk is limited to executing the provided JavaScript locally (node), so review of that file is recommended.
Only WITHINGS_CLIENT_ID and WITHINGS_CLIENT_SECRET are required, which is proportionate for a Withings integration. The SKILL.md does not request unrelated secrets or multiple unrelated credentials. It does note token refresh behavior but does not specify where tokens are persisted — that should be verified in wrapper.js.
The skill is not marked always:true and has no OS restrictions. disable-model-invocation is not set (default model-invocable), which is normal for user-invoked integration skills. Confirm where and how tokens are stored (disk vs ephemeral) because persistent token storage could allow later access unless managed carefully.
Guidance
This skill appears coherent for accessing Withings data: it needs your Withings client ID and secret and runs a local node script to perform OAuth and fetch metrics. Before installing or running it: 1) Inspect wrapper.js to confirm it only performs Withings API calls and to see where OAuth tokens are saved (disk location, permissions, encryption). 2) Keep your WITHINGS_CLIENT_SECRET private and do not commit a .env to version control. 3) Use the localhost OAuth callback as described and verify the app on Withings is configured correctly. 4) If you plan to let the AI model invoke skills autonomously, be aware the skill can use stored tokens to access your Withings data later — only proceed if you trust the code and token handling. If you are not comfortable reviewing the code, ask the publisher for a security summary of token storage and network destinations.
Latest Release
v1.0.1
Expanded skill to support all major Withings health metrics and improved documentation. - Added support for retrieving body composition, activity, and sleep data in addition to weight. - Expanded documentation on when and how to use the skill, with detailed command examples and sample outputs. - Clarified error handling and troubleshooting steps. - Updated description to reflect broader capabilities (not just weight/activity). - Documented data formats and new command options for body metrics, activity period, and sleep history.
More by @hisxo
Published by @hisxo on ClawHub
