Calorie Lookup
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears aligned with nutrition lookup, but it uses third-party API keys, external/sub-agent processing of food text or photos, and a local cache that users should understand.
This looks safe for its stated purpose. Before installing, be aware that it needs nutrition-service API keys, may send food descriptions or photos through sub-agent/model workflows for translation or recognition, and stores lookup results in a local SQLite cache.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Spoonacular or USDA key may be used for lookups and may consume service quota.
The skill uses third-party API credentials from environment variables. This is expected for Spoonacular/USDA nutrition lookup, and the artifacts do not show hardcoded keys, credential logging, or unrelated account access.
USDA_API_KEY = os.getenv("USDA_FDC_API_KEY", "").strip()
SPOONACULAR_API_KEY = os.getenv("SPOONACULAR_API_KEY", "")Use only the API key needed for the service, avoid hardcoding it in files, and monitor provider quota or billing if applicable.
Food descriptions and photos can reveal personal dietary or health-related information and may be processed by configured model providers.
The workflow shares user-provided food text or photos with sub-agents, including a multimodal image-recognition path. This is disclosed and aligned with the skill's purpose, but users should understand that personal meal details/images may enter that processing flow.
Main agent sends raw user text to Decomposer Sub-agent ... Main agent sends photo (and optional text) to `calorie-lookup-image-recognizer` Sub-agent
Use the image or translation features only for food information you are comfortable sending through the agent/model workflow.
Recent food lookup details may remain in a local SQLite cache on the machine running the skill.
Lookup results include the user’s food name and amount and are stored in the local cache. This is expected caching behavior, but it means meal-query details can persist locally until expiry or deletion.
"name_raw": f"{name} {qty}{unit}", ... "kcal": _round(spoon_nutrients["kcal"]), ... cache_set(cache_key, item, SPOONACULAR_ITEM_TTL)Set `CALORIE_SKILL_CACHE_DB` to an appropriate private path, and delete the cache if you do not want local meal-query history retained.
Future installs may resolve to a newer `requests` version than the author tested.
The skill depends on a standard HTTP library using a lower-bound version rather than an exact pinned version or lockfile. This is common and purpose-aligned, but it is less reproducible than pinned dependencies.
requests>=2.31.0
For stricter reproducibility, install in a virtual environment and consider pinning dependency versions in your deployment.