ClawHub

Personal Nutrition

Security checks across malware telemetry and agentic risk

Overview

This is a coherent nutrition-tracking skill that stores meal, water, calorie, and weight notes locally, with privacy considerations users should understand before use.

Install this only if you are comfortable keeping a local nutrition journal on your OpenClaw VPS at /data/.openclaw/workspace/knowledge/personal/nutrition.md. Treat that file as sensitive because it may contain diet, weight, and wellness patterns; review filesystem access, backups, and deletion practices if you share or administer the VPS.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that the skill tracks meals, water intake, weight, and eating habits and stores them in a local file, which constitutes sensitive health-related personal data. There is no warning about privacy, retention, access control, backups, or who can read the file, so users may expose health data on a VPS without understanding the risks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are overly broad and include many common food-related words, which can cause the skill to activate in ordinary conversation without clear user intent to engage a nutrition coach. Unintended invocation increases the chance of reading or updating sensitive personal nutrition data in contexts where the user did not expect health tracking behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to update a persistent file containing personal health-related data whenever the user mentions food or water, but it provides no notice, consent step, or confirmation before writing. This creates a privacy and data-handling risk because sensitive dietary, weight, and wellness information may be stored without the user's informed awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal