Mealplan
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: mealplan Version: 3.0.0 The script `scripts/script.sh` contains a shell injection vulnerability in the `cmd_add` function, where user-provided arguments are concatenated into an `echo` command without proper quoting or sanitization. While the skill's functionality is consistent with its stated purpose of meal planning, this flaw allows for arbitrary command execution if the agent passes maliciously crafted input to the script.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can run a local Bash script to manage meal-plan data.
The skill is operated through an included local shell script. This is expected for the documented command interface, but users should know the agent may run this helper when using the skill.
scripts/script.sh add <meal calories type>
Use it only for meal-planning tasks and review the included script if you are uncomfortable with local command execution.
Meal entries may remain on disk and could be shown again in later use of the skill.
The skill stores meal and calorie history persistently on the local machine. This is disclosed and purpose-aligned, but meal history can reveal personal dietary or health-related information.
Data stored in `~/.local/share/mealplan/`.
Avoid storing sensitive health details unless you are comfortable keeping them locally, and delete ~/.local/share/mealplan/ if you no longer want the history retained.