ClawHub

Calorie Tracker

Security checks across malware telemetry and agentic risk

Overview

This calorie-tracking skill is instruction-only and purpose-aligned, but it locally retains personal food, goal, and preference data that users should be aware of.

Install only if you are comfortable with calorie goals, meal patterns, preferences, and saved foods being kept locally in ~/calories/memory.md. Review or delete that file if you want to reset or remove retained nutrition history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly persists sensitive health-related data, including goals, patterns, preferences, and potentially eating-disorder-adjacent signals, in a local memory file without a clear user-facing notice or consent flow. Because this is health-adjacent personal data retained across sessions, undisclosed persistence increases privacy risk, surprise, and potential secondary misuse if the file is later accessed by other tools or users on the system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly encourages building a persistent personal food library from label photos, homemade recipes, and restaurant favorites, which implies retention of behavioral and potentially sensitive health-related data over time. In a calorie-tracking context, this data can reveal diet habits, routines, and health goals, so collecting and reusing it without clear consent, retention limits, or privacy notice creates a real privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal