✓
Purpose & Capability
Name, description, and SKILL.md behavior align: commands relate to logging glucose, trends, diet advice, alerts and reports. The functionality described is coherent with a blood-sugar tracker.
ℹ
Instruction Scope
SKILL.md only instructs running clawhub sugar subcommands (log, trend, diet, alert) and does not ask to read system files or environment variables. However the skill expects a specific CLI (clawhub) in runtime commands but does not declare that requirement in the skill registry; the README suggests installing via npx clawhub@latest, which means the agent or user must install/run external code to use the skill.
ℹ
Install Mechanism
The skill is instruction-only (no install spec, no code files) which lowers risk. But README recommends 'npx clawhub@latest install blood-sugar-tracker' and _meta.json lists curl as a required binary — these install/usage hints are inconsistent and imply additional tooling or network installs are needed even though the registry metadata lists no required binaries.
✓
Credentials
No environment variables, credentials, or config paths are declared or referenced in SKILL.md. This is proportionate for a local tracking tool. Note: the skill references external tooling (clawhub) which may itself require credentials or network access — that is outside this skill's manifest and should be checked.
✓
Persistence & Privilege
always is false and model invocation is not disabled; the skill is user-invocable and behaves like a normal skill. It does not request permanent presence or modify other skills according to the provided data.
Scan Findings in Context
[meta_requires_bins_curl] unexpected: _meta.json lists 'curl' as a required binary, but the registry metadata provided earlier reports no required binaries and SKILL.md does not use curl. This is an inconsistency that should be clarified.
[references_clawhub_cli] expected: SKILL.md commands call 'clawhub sugar ...'. That is expected for an instruction-only skill that wraps a CLI, but the registry does not declare 'clawhub' or an installation requirement; README suggests installing clawhub via npx. Verify availability and behavior of this CLI before use.
[no_code_files_for_regex_scan] expected: The package is instruction-only with no code files, so the regex-based scanner had nothing to analyze. Absence of scan findings is not a guarantee of safety.
What to consider before installing
This skill appears to do what it says (log glucose, show trends, give diet advice) but has inconsistent metadata about required tooling. Before installing or running: 1) Confirm what the 'clawhub' CLI does and whether you need to install it (README suggests 'npx clawhub@latest'); run it in a sandbox to inspect its behavior. 2) Ask the author or vendor to clarify why _meta.json lists curl and why the registry lists no required binaries — ensure no unexpected network calls or downloads occur. 3) Treat health data as sensitive: verify where data is stored (local vs remote) and read the privacy policy or source code for the clawhub tool. 4) If you cannot verify the external CLI's behavior, avoid installing or grant it only limited, isolated access (e.g., in a VM or container).
