Back to skill
Skillv1.0.0
ClawScan security
小卡健康饮食记录skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 2:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource requests are consistent with a meal-logging utility: it uses curl/jq, stores a service API key in a skill-local file, and calls a single external food-log API — nothing appears disproportionate or unrelated to the stated purpose.
- Guidance
- This skill appears to do only meal logging and stores a single API key in a skill-local file (~/.openclaw/workspace/skills/xiaoka-food-log/.credentials). Before installing: confirm you trust the remote service (https://cal-cn.ishuohua.cn), since logged food data and the API key will be sent/stored there; verify the pairing flow in the official app and, if you later want to revoke access, delete the credential file or revoke the key in the service. If you need stronger protections, prefer storing API keys in a secure credential manager or verify the service's privacy policy and domain ownership.
Review Dimensions
- Purpose & Capability
- okName/description (food logging) matches required binaries (curl, jq), the included script, and the described API calls. No unrelated credentials or system resources are requested.
- Instruction Scope
- okSKILL.md and the shell script only instruct reading/writing a skill-scoped credential file (~/.openclaw/workspace/skills/xiaoka-food-log/.credentials), calling endpoints under https://cal-cn.ishuohua.cn for pairing, logging, and viewing today’s records, and handling common HTTP errors. They do not request unrelated files, system-wide config, or external endpoints beyond the service domain.
- Install Mechanism
- okNo install spec — instruction-only plus a local shell script. No downloads or archive extraction. This minimizes installation risk.
- Credentials
- okNo required environment variables or external credentials are declared; the skill stores a single service API key in a skill-specific local file. The credential usage is proportional to the feature (API-authenticated food logging).
- Persistence & Privilege
- okalways is false and the skill only reads/writes its own credential file; it does not modify other skills or system-wide configuration. Autonomous invocation is allowed by default but is not combined with excessive privileges.