Daily Meal Planner
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
Before installing, be comfortable with first-run recipe JSON downloads from GitHub/jsDelivr, weather lookups through wttr.in, and a local user_profile.json that can store location, preferences, diet goals, and allergies. Delete the profile file or use a sandbox if you do not want that data retained. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The recipe database can change after installation, so recommendations may depend on remote content that was not bundled with the skill.
The script downloads recipe JSON data from mutable main-branch GitHub/jsDelivr URLs when local data files are missing.
DATA_MIRRORS=[ "https://github.com/GMMG55/daily-meal-planner/raw/main/scripts", "https://cdn.jsdelivr.net/gh/GMMG55/daily-meal-planner@main/scripts" ] ... urlopen(f"{base}/{fn}",timeout=15).read()Use it only if you trust the referenced repository/CDN. For stronger assurance, prefer pinned data versions or checksums and review downloaded JSON files.
Future recommendations may reuse saved personal dietary information, and stale or incorrect profile data could affect meal suggestions.
The skill keeps persistent local memory of user preferences, location, diet goals, and allergies for future recommendations.
自动保存到本地 `user_profile.json`:地点、心情、想吃类别、偏好菜系、喜欢的菜、不喜欢的菜、饮食目标、过敏食材。
Review or delete user_profile.json if you do not want persistent personalization, especially for allergies or dietary restrictions.
A third-party weather service may receive your city or location string when weather-based recommendations are generated.
The weather lookup sends the configured city/location to the wttr.in weather service.
urlopen(urllib.request.Request(f"https://wttr.in/{city}?format=j1",headers={"User-Agent":"Mozilla/5.0"}),timeout=6)Avoid saving a precise location if privacy matters, or use manual weather options instead of automatic weather lookup.
Users might underestimate the sensitivity of the stored profile data even though the fields are disclosed elsewhere.
The privacy wording says there is no sensitive data, while the same document discloses storage of location, diet goals, and allergens, which some users may consider personal.
**无敏感数据** ... 不请求任何密钥、系统凭据或个人隐私信息 ... `user_profile.json` ... 饮食目标、过敏食材
Treat the local profile as personal information and delete it when you do not want preferences, location, or allergy data retained.