Skillv0.1.0

ClawScan security

Nutrition Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 12:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its description: it logs meals and maintains a local Obsidian-based profile and monthly logs, and does not request credentials or reach out to external endpoints.
Guidance: This skill appears to do exactly what it says: run the provided scripts to store a nutrition profile and log meals inside an Obsidian vault. Before installing or running it: (1) review the included scripts (they are short and bundled) — they operate locally and do not make network requests; (2) back up your Obsidian vault or set OBSIDIAN_VAULT to a test directory to avoid unintended modifications; (3) be aware the scripts will create/overwrite health/eat/profile.json and a monthly markdown file in the chosen vault; and (4) if you need stricter isolation, run the scripts in a sandbox or on a test vault first.

Review Dimensions

Purpose & Capability: okThe scripts create/read/write a profile.json and monthly markdown files inside an Obsidian vault (default: ~/Documents/obsidian/yzhai-daily) and compute macro/ calorie targets. The requested files, commands, and behavior line up with the 'Nutrition Tracker' description; there are no unrelated services, credentials, or binaries required.
Instruction Scope: noteThe runtime instructions tell the agent to run bundled shell/Python scripts that will modify files in the user's Obsidian vault (create directories, write profile.json, update monthly .md logs). This is expected for the stated purpose, but be aware the skill will write to your filesystem (the default vault or whatever OBSIDIAN_VAULT you set). There are no network calls or attempts to read unrelated system files. If you want to be cautious, back up your vault or point OBSIDIAN_VAULT at a test directory before use.
Install Mechanism: okThere is no install specification (instruction-only). All code is included in the skill bundle (scripts and locales); nothing is downloaded or installed from external URLs.
Credentials: okThe skill requires no credentials or secret environment variables. It optionally respects OBSIDIAN_VAULT if present to choose the storage path; otherwise it uses a sensible default. No broad credential access is requested.
Persistence & Privilege: okalways is false and the skill is user-invocable only. It does not attempt to modify other skills or system-wide settings; its persistent effect is limited to creating/updating files in the vault (its own data).