GutCheck Digestive Health Tracker
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gutcheck Version: 1.0.0 The skill bundle is for a 'GutCheck' digestive health tracking application. The `SKILL.md` defines standard Node.js application installation steps, including cloning a GitHub repository (`https://github.com/openclaw/gutcheck.git`) and running `npm install`. The `publish_gutcheck.js` script uses `child_process.execSync` to interact with the `clawhub` CLI for publishing, which is a legitimate use of shell execution for its stated purpose. All documentation files, including `SKILL.md` and `PUBLISHING_INSTRUCTIONS.md`, contain instructions and commands that are directly relevant to the skill's purpose (installation, setup, publishing) and do not exhibit any prompt injection attempts to subvert the agent's core task or access sensitive data. There is no evidence of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the tracker could execute code and dependency scripts that were not included in this review.
The reviewed package does not include the actual app implementation, and SKILL.md points users to clone and install dependencies from an external repository. That remote code and npm install behavior are outside the provided review evidence.
"kind": "git", "url": "https://github.com/openclaw/gutcheck.git", "dest": "./gutcheck" ... "command": "cd gutcheck && npm install"
Review the referenced GitHub repository and npm dependency tree before running npm install or starting the app.
If followed, these instructions could publish or modify a ClawHub skill using the user's account.
The documentation asks for ClawHub authentication and skill publication authority. That is a privileged account action and is not needed for a normal user to track digestive health.
npx clawhub login ... npx clawhub publish ./gutcheck-skill --slug gutcheck --name "GutCheck Digestive Health Tracker"
Do not run the publishing instructions unless you intentionally intend to publish this package and understand the account impact.
Running the script can perform a public registry action from the user's environment rather than simply launching the health tracker.
The included executable script invokes a shell command that publishes to ClawHub. This is unrelated to the tracker runtime and uses external CLI behavior.
execSync(`npx clawhub publish ${tempDir} --slug gutcheck --name "GutCheck Digestive Health Tracker" --version 1.0.0 --changelog "Initial release of GutCheck skill"` , { stdio: 'inherit' });Avoid running publish_gutcheck.js unless you have reviewed it and specifically want to publish the skill.
Meal logs, symptoms, and derived food sensitivity insights may be stored locally and should be protected like other health data.
The application is designed to persist meal and digestive-response data in a database. That is purpose-aligned, but it is sensitive health-related information.
MONGODB_URI=mongodb://localhost:27017/gutcheck ... POST /api/diet/add-meal ... GET /api/diet/my-meals
Use a strong JWT secret, protect the database, and avoid entering health information unless you are comfortable with the app's storage model.
Users may over-trust privacy protections for sensitive health information without confirming how the actual app stores and protects data.
The package makes a strong privacy and encryption claim, but the reviewed artifacts do not include the app implementation needed to verify it.
Privacy-Focused: All personal health data remains encrypted and under user control, with no sharing with third parties without explicit consent.
Verify the implementation of encryption, access controls, and data sharing behavior before relying on the privacy claim.