Skillv1.0.0

ClawScan security

Diet Logger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 27, 2026, 6:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (writing fixed-format diet notes to an Obsidian vault); it only reads/writes local files and does not request credentials, network access, or unusual installs.
Guidance: This skill appears to do what it says: run a local Python script to append diet entries into a fixed-format Obsidian markdown file. Before installing or using it, check and possibly change the hardcoded VAULT_PATH in scripts/log_diet.py to a path you control (it currently points to /mnt/c/Users/loong/...). Running the script will create/modify files at that location, so ensure you trust that path and have backups if needed. No network calls or secrets are requested, so the main risks are accidental overwrites or writing to the wrong directory — review the script and adjust the path if you want it to target a different vault or make the path configurable.

Purpose & Capability: okName/description (diet logging to Obsidian) align with the provided script and SKILL.md. The script creates/updates markdown files in an Obsidian-like vault directory, which is exactly what the skill claims to do.
Instruction Scope: noteInstructions only tell the agent to run the included Python script with date/meal/items arguments. The script performs only local file I/O to create/update a markdown file. Note: the script writes to a hardcoded vault path (/mnt/c/Users/loong/.../05-Daily) which is user-specific and may not exist or be appropriate on other systems—this is a usability/configuration concern but not a malicious action.
Install Mechanism: okNo install spec; the skill is instruction + single script. No external downloads or package installs are requested.
Credentials: okThe skill requests no environment variables or credentials. All required inputs are CLI arguments. There are no unrelated secret accesses or config path reads beyond the single hardcoded vault path used for its stated purpose.
Persistence & Privilege: okalways:false and no changes to other skills or system-wide settings. The script writes files only under the vault path; it does not modify other skills or request elevated privileges.