Back to skill
Skillv1.0.0
ClawScan security
myfood-by · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 1:18 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are internally consistent with a local food-inventory / recipe recommender that stores inventory in a skill-local file; no unrelated credentials or installs are requested.
- Guidance
- This skill appears to do what it claims, but before installing: 1) Confirm where the agent stores skill files (the path that contains references/my-food.md) and whether that location is backed up or shared. 2) Avoid entering sensitive personal health details into the skill—the SKILL.md says they won't be saved, but that isn't technically enforced in the instructions. 3) Test with non-sensitive inventory data first, then inspect references/my-food.md to verify contents and that deletions behave as expected. 4) If you need stronger privacy, consider encrypting the file or running the skill only in an environment where the skill directory is private. 5) Remove the skill and delete references/my-food.md when you no longer want the inventory retained.
Review Dimensions
- Purpose & Capability
- okThe name/description (food inventory and recommendation) matches the actions described: registering/querying/updating inventory and generating recommendations using the main model. Requiring a references/my-food.md file in the skill directory to hold inventory is coherent for this purpose.
- Instruction Scope
- noteAll runtime instructions operate on a single skill-local file (references/my-food.md) and on real-time user prompts. This stays within the stated purpose. Note: the SKILL.md asserts that health-sensitive info is not saved, but there is no technical enforcement described—care should be taken about what the agent is asked at runtime.
- Install Mechanism
- okNo install spec or external downloads; this is an instruction-only skill (lowest install risk).
- Credentials
- okThe skill requests no environment variables, binaries, or credentials. There are no disproportionate credential requests.
- Persistence & Privilege
- noteThe skill writes persistent state to references/my-food.md in the skill directory (creates it if missing). This is expected for inventory, but users should note that data will persist across runs and may be included in backups, logs, or accessible to anyone with access to the skill files.