📦 Fitbit Analytics — 健康数据整合
v1.0.0一键接入 Fitbit Web API,实时获取步数、心率、睡眠、活动、卡路里等多维健康数据,自动生成趋势图表与异常预警,助你轻松追踪身体状态。
1· 2.4k·2 当前·2 累计
by @kesslerio下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement Fitbit API access and reporting as described, but review the following before installing:
- The code will read from and write to ~/.config/systemd/user/secrets.conf (and will create ~/.fitbit-analytics/tokens.json). If you run it, it will attempt to persist refreshed access/refresh tokens into that secrets.conf file and set file permissions. Ensure that file is not used for unrelated secrets you don't want overwritten.
- If you prefer not to have tokens persiste...详细分析 ▾
✓ 用途与能力
Name, description, required env vars (FITBIT_CLIENT_ID, FITBIT_CLIENT_SECRET, FITBIT_ACCESS_TOKEN, FITBIT_REFRESH_TOKEN) and required binary (python3) all align with a Fitbit Web API integration. The included scripts implement Fitbit endpoints and reporting features described in the SKILL.md.
ℹ 指令范围
SKILL.md instructs running the included Python scripts and setting env vars — consistent with purpose. It also suggests OpenClaw cron automation delivering outputs to channels (e.g., Telegram). The runtime instructions and CLI usages stay within Fitbit data collection and reporting; they do not instruct collection of unrelated system files or network endpoints beyond Fitbit/dev.fitbit.com.
✓ 安装机制
No install spec or external downloads are used; this is an instruction-only skill with Python scripts included. Risk from install mechanism is low because nothing is fetched from arbitrary URLs and no package managers are invoked.
⚠ 凭证需求
Although the declared env vars match Fitbit, the code also reads and writes a secrets file at ~/.config/systemd/user/secrets.conf and persists tokens to ~/.fitbit-analytics/tokens.json. The registry metadata did not declare these config paths. Writing to a user secrets file in the home directory (and updating tokens there) is a broader filesystem/credential footprint than the SKILL.md explicitly declares and could overwrite or mix with other stored secrets.
⚠ 持久化与权限
The client auto-refreshes tokens and persists them to disk (secrets.conf and a token cache), and sets file permissions. Persisting refresh tokens and access tokens on the user's filesystem is expected for long-running integrations, but it is a permanent change to user files and therefore higher privilege than a read-only skill. This behavior should be disclosed up-front in the registry metadata (required config paths) and verified by the user.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/23
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install fitbit-analytics
镜像加速npx clawhub@latest install fitbit-analytics --registry https://cn.longxiaskill.com