Vitamin
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a benign local supplement tracker, with notes that it stores health-related logs on disk and its CLI installation/reminder behavior should be understood before use.
This skill looks safe for local supplement tracking, but be comfortable with health-related entries being saved under `~/.local/share/vitamin/`. Verify that any `vitamin` command you run comes from the reviewed source, and do not depend on it for automatic dose notifications unless you confirm that scheduling is actually implemented.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your supplement history, goals, and reminder text may remain on disk and could be viewed by local backups, other local tools, or later agent interactions that read the logs.
The skill intentionally persists health and supplement-related user entries for later history, search, and export; this is expected for the tracker but may include sensitive personal data or prompt-like text that should be treated as data, not instructions.
All data is stored locally at `~/.local/share/vitamin/`. Each action is logged with timestamps. Use `export` to back up your data anytime.
Avoid entering secrets or highly sensitive medical details, treat retrieved log entries as untrusted user data, and review or delete the local data directory if you no longer want the history retained.
You may need to manually confirm which `vitamin` executable will run and that it comes from the reviewed source.
The package includes a shell script and the documentation expects a `vitamin` CLI, but the registry does not declare how that command is installed; no hidden install behavior is shown, but installation provenance is less explicit.
Install specifications: No install spec — this is an instruction-only skill. Code file presence: 1 code file(s): scripts/script.sh
Install or invoke only the script from the stated source, and avoid running unrelated installer commands not described by the artifact.
A user might think dose reminders will actively notify them when the artifact evidence mainly shows reminder notes being saved.
The visible `remind` command stores reminder text as a log entry; it does not clearly set up an operating-system scheduler or notification despite the description mentioning reminders and scheduling doses.
remind) ... echo "$ts|$input" >> "$DATA_DIR/remind.log" ... echo " Saved. Total remind entries: $total"
Do not rely on this skill alone for time-critical health reminders unless you confirm that an actual notification or scheduling mechanism is configured.