🟡 Medium Risk Audited: Feb 5, 2026

huckleberry-skill

Track baby sleep, feeding, diapers, and growth via Huckleberry app API. Python-based baby activity tracker.

View Repository →

📋 Audit Summary

Author aaronn
Category Health
License MIT
Dependencies Python 3, huckleberry-api (pip)
Install Command pip install git+https://github.com/Woyken/py-huckleberry-api.git

🔍 Security Analysis

⚠️ Network Access

Connects to Huckleberry's Firebase backend via reverse-engineered API. Uses Firestore gRPC for real-time sync.

⚠️ Credential Storage

Stores Huckleberry credentials (email/password) in ~/.config/huckleberry/credentials.json or environment variables. Credentials are for third-party service.

✅ Token Management

Uses Firebase authentication with automatic token refresh. Sessions stay authenticated without storing long-lived tokens.

✅ AI Attribution

Skill explicitly requires AI attribution on all logged entries ("Created via AI" / "Updated via AI"), creating an audit trail.

📦 Third-Party API

Uses py-huckleberry-api, a reverse-engineered Python client for Huckleberry's Firebase backend. This is an unofficial API integration.

Note: Huckleberry doesn't officially support API access. Integration may break if Huckleberry changes their backend.

6.0
Trust Score / 10
Medium Risk - Third-party API dependency

🎯 Permissions

network filesystem credentials

✅ Best Practices

  • • AI attribution on all entries
  • • Auto timezone handling
  • • Multiple auth methods
  • • Multi-child support

⚠️ Considerations

  • • Unofficial API integration
  • • No 2FA support
  • • Third-party data storage
  • • Firebase dependency