Skillv1.1.0

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 6:50 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's commands and memory usage generally match a nutrition-tracking purpose, but the runtime instructions ask the agent to modify global heartbeat files and set up cron jobs, and the SKILL.md includes an install instruction that is not present in the registry metadata — these mismatches and the silent, automatic writes to user memory deserve review before installation.
Guidance: Before installing or enabling this skill: 1) Confirm where memory files (MEMORY.md, memory/YYYY-MM-DD.md) and HEARTBEAT.md are stored and who can read them — ensure sensitive health data will remain private and that the skill's promise to write only in private DMs is enforceable. 2) Ask whether the skill will actually create system cron jobs or use an agent-managed scheduler; creating OS cron entries may require elevated permissions and is a persistent change. 3) Verify the provenance of the 'nutrition' CLI and the pip package 'nutrition-cli' (who publishes it, view the package source). 4) Decide whether you consent to silent automatic writes/learning (storing health context, preferences, streaks) and proactive reminders; require explicit consent prompts if desired. 5) Resolve the discrepancy between the registry (no install spec) and the SKILL.md install instruction. If the maintainer can clarify these items (explicit install spec, exact paths modified, and whether heartbeat/cron changes are optional and require user confirmation), that would raise confidence toward 'benign.'

Review Dimensions

Purpose & Capability: okThe declared required binary ('nutrition') and the skill's instructions (search, log, config, summary, barcode) are coherent with a nutrition/meal-tracking CLI. Required capabilities are consistent with the stated purpose.
Instruction Scope: concernInstructions direct the agent to read and write user memory (MEMORY.md and memory/YYYY-MM-DD.md), append to HEARTBEAT.md, and create cron reminders. Writing health context and preferences to memory is within the domain, but the instructions also direct silent, automatic updates ('Write silently — do not announce...') and proactive modifications (heartbeat integration, cron jobs). The skill grants itself discretionary behavior (observe patterns, update profiles) which increases privacy risk and requires explicit user consent and clear boundaries.
Install Mechanism: noteRegistry metadata lists no install spec, but SKILL.md contains an install entry recommending installing a pip package 'nutrition-cli'. This inconsistency should be resolved. Installing a pip package is a common delivery method but carries moderate risk (verify package provenance and contents). No direct download URLs are present in the manifest, which is better than arbitrary external downloads.
Credentials: okThe skill requests no environment variables or external credentials. There are no unrelated secrets requested — the permission surface is limited to the 'nutrition' binary and the agent's memory/heartbeat files.
Persistence & Privilege: concernThe skill will append to HEARTBEAT.md (a global/system-level heartbeat snippet) and instruct the agent to set up cron entries for proactive reminders. Modifying a shared heartbeat file or creating scheduled jobs changes agent/system-wide behavior beyond the skill's own files. Although 'always' is not set, this cross-config modification and persistent scheduling capability increases the blast radius and should be explicitly authorized by the user/administrator.