ClawHub

diet-record

Security checks across malware telemetry and agentic risk

Overview

This diet logger is coherent and local-only, but it stores personal diet and preference data that users should treat as sensitive.

Install only if you are comfortable with meal history and diet-related preferences being stored locally as diet-log.jsonl and diet-preferences.json. Be cautious with automatic photo logging, and periodically review or delete those files if you no longer want the records kept.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The daily summary section instructs execution of an inline Python command to read and process local files. Even though the code is simple and aligned with the feature, embedding shell/code execution in a skill increases the attack surface and normalizes interpreter access that is broader than necessary for a diet-logging workflow. In an agent environment, this can become dangerous if later modified, parameterized, or combined with untrusted inputs.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes broad phrases such as asking calorie info, sending a photo, or discussing what was eaten today, which can cause the skill to activate in situations the user did not intend for persistent logging. Because this skill stores health-related dietary data, unintended activation creates a privacy risk and may lead to silent collection or retention of sensitive information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persistently stores dietary preferences, allergies, goals, and meal history in local files, but the description does not clearly warn users that sensitive health-related data is being retained. This lack of transparency can undermine informed consent and increases privacy/compliance risk, especially because allergies and diet goals may qualify as sensitive personal data in some contexts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal