Safety Report

Zen+ Health

Name: Zen+ Health
Rating: 5 (2 reviews)
Author: ollieparsley

@ollieparsley

Access your Zen+ Health wellness data - notifications, timeline, and catalogue

409Downloads

1Installs

2Stars

5Versions

Notifications & Alerts1,061 Healthcare460

Security Analysis

high confidence

Clean0.04 risk

The skill is internally consistent: it is an instruction-only integration that uses a read-only API key to call Zen+ Health endpoints via curl/jq and requests only the environment variables you'd expect.

Feb 13, 20263 files1 concern

Purpose & Capabilityok

Name/description match the requested artifacts: the skill reads notifications, timeline, catalogue and asks only for ZEN_API_KEY and ZEN_API_BASE_URL and standard CLI tools (curl, jq). These requirements are proportional to a read-only wellness integration.

Instruction Scopeok

SKILL.md contains explicit curl commands that only call the declared API endpoints under the configured base URL using the provided API key. Instructions do not ask the agent to read unrelated files, credentials, or system state.

Install Mechanismok

No install spec and no code files — instruction-only. That minimizes risk because nothing is written to disk or downloaded by the skill itself.

Credentialsnote

The skill requires only ZEN_API_KEY (primary credential) and ZEN_API_BASE_URL, which are appropriate. One note: allowing the base URL to come from an env var is expected for flexibility but means a mis-set or malicious ZEN_API_BASE_URL could redirect requests to an attacker-controlled endpoint. Confirm you set ZEN_API_BASE_URL to the official API (https://api.zenplus.health) and keep the API key secret.

Persistence & Privilegeok

always is false and the skill does not request persistent system privileges or modify other skills. It is user-invocable and may be called autonomously by the agent (the platform default), which is normal for skills.

Guidance

This skill appears to do what it says: it uses a read-only Zen+ Health API key to fetch notifications, timeline, profile, and catalogue via curl/jq. Before installing: (1) Only set ZEN_API_BASE_URL to the official API (https://api.zenplus.health) to avoid redirecting requests to an untrusted endpoint. (2) Use a dedicated, read-only API key for this integration and revoke it if exposed. (3) Be aware API responses may be logged by your OpenClaw instance (SECURITY.md mentions this). (4) If you want to prevent autonomous calls, consider disabling model invocation for the skill via your agent settings. If you need deeper assurance, request the publisher provenance or host-verified metadata (homepage or official publisher link) because the registry source here is unknown.

Latest Release

v1.0.4

- Expanded skill description to highlight workplace wellness focus and added support for mood check-ins. - Improved feature list in the description, specifying mindfulness exercises, breathing techniques, and a full wellbeing catalogue. - No functional or command changes; information and feature positioning improved for clarity.

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @ollieparsley on ClawHub