ClawHub

小卡健康饮食记录skill

Security checks across malware telemetry and agentic risk

Overview

This food logging skill mostly does what it claims, but its broad auto-trigger can send personal diet details to a remote service without a clear logging request.

Install only if you trust the Xiaoka Health service and intentionally want meal descriptions sent to its API. Use explicit logging phrases, avoid casual food discussion while the skill is enabled, and delete or revoke the stored API key if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill executes shell commands (`curl`, `jq`, file reads/writes, `rm`) but does not declare corresponding permissions, which weakens the platform's ability to gate risky capabilities and inform users. In this context the shell is used to access local credential files and transmit health data to a remote service, so undeclared capability use materially increases security and transparency risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description mandates triggering on broad natural-language patterns such as any description of what the user ate, which can cause unintended invocation during ordinary conversation. Because invocation sends potentially sensitive dietary/health data to a remote API, false triggers become a privacy and consent problem rather than just a UX issue.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger condition '用户描述吃了什么' is overly vague and lacks boundaries, making it easy for the skill to activate on incidental or quoted text. In a health logging skill that forwards content externally, ambiguity directly increases the chance of non-consensual data logging and transmission.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs storing the API key in plaintext in a local file without clearly warning about local secret exposure or recommending safer storage. Even with `chmod 600`, plaintext credentials remain accessible to the current user account and potentially other local processes running as that user, increasing the risk of token theft and account misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user dietary information and a bearer token to a third-party API but does not meaningfully disclose the privacy implications, retention expectations, or transmission scope. Given that food logs can reveal health-related personal data, missing notice and consent makes the integration more sensitive than ordinary telemetry.

External Transmission

Medium
Category
Data Exfiltration
Content
XIAOKA_API="https://cal-cn.ishuohua.cn"
CRED="$HOME/.openclaw/workspace/skills/xiaoka-food-log/.credentials"
XIAOKA_API_KEY=$(cat "$CRED")
curl -s -X POST "$XIAOKA_API/openclaw/api/food/log" \
  -H "Authorization: Bearer $XIAOKA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"text": "一碗米饭和红烧肉", "meal_type": "lunch"}' | jq .
Confidence
93% confidence
Finding
curl -s -X POST "$XIAOKA_API/openclaw/api/food/log" \ -H "Authorization: Bearer $XIAOKA_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal