饮食记录追踪

Security checks across malware telemetry and agentic risk

Overview

This is a simple local diet tracker that stores meal records on the user’s computer and does not show hidden network, credential, or destructive behavior.

Install only on a device where you are comfortable keeping a local food diary. The main privacy consideration is the local file ~/.qclaw/workspace/diet.json; delete or protect that file if the contents are private.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill documentation indicates local file read/write capability via a JSON file in the user's home workspace, but it does not declare any permissions. Undeclared file access weakens transparency and consent, making it easier for a user or platform to underestimate what the skill can access or modify, even if the apparent use here is only diet tracking data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal