Back to skill
Skillv3.4.1
ClawScan security
Diet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a local meal-and-nutrition tracker: it uses bash/python, stores data under ~/.diet, and does not request external credentials or network access.
- Guidance
- This skill appears to do exactly what it claims and keeps data local. Before installing, consider: (1) review the included scripts yourself (they are plain shell/python) to confirm you’re comfortable running them; (2) note that meal and water logs are stored unencrypted under ~/.diet — if this is sensitive, restrict permissions (chmod 700 ~/.diet and chmod 600 ~/.diet/*) or store backups securely; (3) ensure you have bash and python3 available (jq is optional); (4) because the skill has no network behavior, your data is not transmitted by the script, but always verify the source (GitHub/homepage) if you plan to run code from an external repo.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the SKILL.md and scripts provide commands for logging meals, calories, macros, water, plans, and reports. Required tools (bash, python3) and local JSON storage under ~/.diet are reasonable for this purpose.
- Instruction Scope
- okRuntime instructions and the shell script operate on local files only (~/.diet/meals.json, water.json). They do not read other system config, request environment secrets, or send data to external endpoints. The behavior is constrained to the described functionality.
- Install Mechanism
- okThere is no install spec — the skill is instruction-only with an included script. That is low-risk; the script is stored as a file in the skill bundle but nothing in the metadata would auto-download arbitrary remote code.
- Credentials
- okNo environment variables or credentials are required. The script uses a few environment variables internally when invoking python, which is normal and local to the process.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request to be permanently injected into other agent settings or modify other skills. Its persistence is limited to creating the ~/.diet directory and JSON files for user data.