ClawHub

Fatsecret

Security checks across malware telemetry and agentic risk

Overview

This FatSecret skill appears useful, but it has under-disclosed credential handling and third-party data-flow issues that users should review before installing.

Install only if you are comfortable granting FatSecret account access and storing credentials locally. Treat the config and token files as secrets, avoid running it in shared or logged environments, and verify whether it sends lookups to Open Food Facts as well as FatSecret. Prefer a patched version that removes token printing, fixes the OAuth documentation, validates the config directory, and documents all external services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Tainted flow: 'CONFIG_FILE' from os.environ.get (line 20, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"saved_at_human": time.ctime()
            }
            
            with open(CONFIG_FILE, 'w') as f:
                json.dump(config, f, indent=2)
            
            self.consumer_key = consumer_key
Confidence
94% confidence
Finding
with open(CONFIG_FILE, 'w') as f:

Tainted flow: 'TOKENS_FILE' from os.environ.get (line 21, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
"created_human": time.ctime()
            }
            
            with open(TOKENS_FILE, 'w') as f:
                json.dump(token_data, f, indent=2)
            
            return True
Confidence
95% confidence
Finding
with open(TOKENS_FILE, 'w') as f:

Tainted flow: 'TOKENS_FILE' from os.environ.get (line 20, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
os.makedirs(CONFIG_DIR, exist_ok=True)
    
    # Save file
    with open(TOKENS_FILE, 'w') as f:
        json.dump(token_data, f, indent=2)
    
    print(f"✅ Tokens saved to: {TOKENS_FILE}")
Confidence
92% confidence
Finding
with open(TOKENS_FILE, 'w') as f:

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The authentication section states that OAuth2 supports read-only access without user login, while the changelog says OAuth2 was removed and OAuth1 is now used for all operations. In security-sensitive flows, contradictory auth documentation can cause operators or agents to choose the wrong flow, mishandle credentials, or assume reduced privilege where full user authorization is actually required.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The CLI command table labels search, barcode, and recipes as OAuth2-based, but the changelog says all operations now use OAuth1. This inconsistency can lead users or agents to run commands under false assumptions about privilege level, prompting unnecessary credential exposure or authorization mistakes.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The agent integration section still documents OAuth2-style read-only behavior even though the changelog indicates OAuth2 was removed. For agent-operated skills, stale auth guidance is especially risky because it can drive automated handling of credentials and user prompts based on an incorrect trust and privilege model.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The helper persists user-provided consumer credentials and later tokens to local disk, which exceeds the user-visible skill description and creates a real secret-retention risk. Even if intended for convenience, hidden persistence increases exposure through filesystem compromise, backups, logs, or other local processes.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
Proxy support is an undisclosed operational capability that can reroute all authentication and API traffic through attacker-controlled infrastructure if FATSECRET_PROXY or config is influenced. Although HTTPS still provides transport security, proxies can still expose metadata, increase phishing/SSRF-like risk in enterprise environments, and violate user expectations about network routing.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The helper uses an environment-controlled base directory for reading and writing configuration and token files, which grants broader local file access flexibility than the nutrition-search skill requires. In hostile or shared execution environments, this expands the attack surface for secret placement, file overwrite, and unintended file reads from attacker-selected locations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation targets Open Food Facts even though the skill is declared as a FatSecret integration. This service-identity mismatch is dangerous because users and orchestrators may believe data is going to one provider while it is actually sent to a different third party, creating a trust, privacy, and supply-chain integrity issue. In this skill context, the mismatch is more dangerous because the capability is explicitly nutrition lookup, so users are likely to provide food queries and barcodes expecting the declared provider.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module and class docstrings explicitly describe an Open Food Facts client, contradicting the skill's declared FatSecret purpose. While documentation mismatch alone is not code execution risk, it materially increases the chance of deceptive behavior, misrouting of user data, and unsafe approval of the skill under false assumptions. The skill context makes this more concerning because the declared functionality centers on third-party nutrition data access, where provider identity matters.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly tells users to place `consumer_key` and `consumer_secret` in a plaintext JSON file under a predictable filesystem path, without any warning about file permissions, secret managers, or secure storage. If that file is exposed through weak host security, container image layering, backups, logs, or accidental source control inclusion, attackers can steal the credentials and use the FatSecret API as the victim, potentially causing quota exhaustion or unauthorized access tied to the account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code stores consumer credentials on disk without a clear user-facing warning, consent flow, or retention explanation. In an agent setting, users may reasonably assume they are only authorizing API use, not permitting persistent local plaintext storage of reusable secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the OAuth request token and token secret exposes sensitive credentials to terminal history, shell logging, CI logs, remote session recording, or observability tooling. Even temporary tokens can be abused during the authorization window and normalize unsafe secret-handling practices in a credential-focused script.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Access tokens and token secrets grant ongoing access to a user's FatSecret account and diary data, so printing them to the console can directly leak account access. In agent, container, or managed execution environments, stdout is often captured centrally, making this substantially more dangerous than a local-only script assumption suggests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes access tokens, token secrets, and also the consumer secret into a plain JSON file without enforcing secure permissions or encrypted storage. This creates a durable local credential cache that can be read by other users, exposed through backups, mounted volumes, or container filesystem access.

Missing User Warnings

Low
Confidence
84% confidence
Finding
User-supplied search terms and barcodes are transmitted to an external API without any visible user-facing disclosure in the code path. This is primarily a privacy/transparency issue rather than an injection flaw, but it can expose potentially sensitive dietary interests or product lookups to a third party without informed consent. In this skill context, the risk is somewhat elevated because nutrition and food-diary-related queries can reveal personal habits or health-related preferences.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The client constructs outbound hosts from a caller-controlled country value, allowing requests to be directed to arbitrary Open Food Facts regional subdomains without clear restriction or disclosure. Even though the domain suffix is fixed to openfoodfacts.org, this still expands the set of destinations and weakens predictability, which is problematic in a skill that users expect to contact a specific declared provider. The mismatch with the FatSecret skill context makes this more suspicious and increases trust and privacy risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal