Nutrition MCP
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the MCP may execute code from the npm package under the user's local account.
The skill's setup and MCP configuration run an external npm package through npx, and the provided artifacts do not include that package's code or pin a version.
`npx -y wellness-nourish manifest` ... `"command": "npx", "args": ["-y", "wellness-nourish"]`
Inspect the referenced repository/package, consider pinning a known version, and run the manifest/doctor commands before trusting it with private data.
An agent using the MCP could log or update nutrition-related records or contact live providers if the user enables those flows.
The skill anticipates write operations and live provider calls, but it also gives purpose-aligned safety guidance to check status and use dry-run surfaces first.
Prefer connection_status, manifest, doctor, privacy_audit, or dry-run surfaces before any write or live provider call.
Keep consent explicit for logging or provider calls, and prefer dry-run/status checks before allowing writes.
If credentials are configured, they could grant access to nutrition or provider accounts and should not be exposed in chat or logs.
The skill warns about credential materials, and the provided capability signals also indicate OAuth/sensitive credential use, although registry metadata does not enumerate required credentials.
Do not print OAuth tokens, API keys, service-account JSON, local token files, or private user data.
Use least-privileged credentials where possible, avoid pasting secrets into prompts, and confirm exactly which providers and token scopes are being used.
Nutrition logs, hydration records, goals, summaries, and meal-photo-derived data may persist locally and could be sensitive.
The MCP stores user nutrition data locally and can log meal photos with confirmation, creating persistent private health-related records.
Local logs stay under ~/.wellness-nourish/. Meal photos require explicit user confirmation before logging; not medical advice.
Review the privacy audit, understand where data is stored, delete logs when no longer needed, and avoid logging information you do not want retained.