ClawHub

Fasting Tracker

Security checks across malware telemetry and agentic risk

Overview

This fasting tracker appears purpose-aligned and locally scoped, but users should understand it may save sensitive fasting and symptom notes on their machine.

Install only if you are comfortable with fasting-related notes being saved locally in ~/fasting/memory.md. Avoid using it on shared machines, review or delete that file when needed, and do not rely on the skill as medical advice, especially for extended fasts, pregnancy, diabetes, medication use, low body weight, or any history of disordered eating.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The logging rule relies on broad natural-language examples like "starting fast" or "last meal at 8pm" without defining explicit consent or activation boundaries. In a health-related skill, this can cause the agent to infer and persist sensitive fasting or dietary information from ordinary conversation, creating privacy and autonomy risks even if the author likely intended convenience.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly stores fasting preferences and health-related details externally in `~/fasting/memory.md`, including symptoms, metrics, schedule, and protocol, but does not present a clear privacy notice, retention policy, or consent mechanism. Because this is sensitive health-adjacent data, silent persistence increases the risk of unauthorized disclosure, unexpected profiling, or local data exposure on shared or insecure systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file presents extended fasting durations as standard protocol options and only advises medical supervision at 5+ days, omitting clearer safety cautions for 24-72 hour fasts. In a fasting-tracker skill, users may treat this as actionable health guidance, which increases the risk of unsafe fasting behavior for people with diabetes, eating disorders, pregnancy, low body weight, or those taking medications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal