Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
减肥打卡记录
v1.0.1减肥进度追踪助手。用户告诉 AI 今天的体重,AI 自动帮您记录并生成漂亮的图表,清晰展示减肥进度。支持中英文界面,macOS/Windows/Linux 多平台使用。当用户说"记录体重"、"今天体重"、"减肥打卡"、"体重多少"时自动触发。
⭐ 0· 82·0 current·0 all-time
by万码千钧@mixinan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (weight tracking + chart) match the included files and required operations: config.json, weight_history.json, jianfei.html and a setup.sh to pick a port. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md instructs the agent to read/modify weight_history.json, start a local HTTP server, open the local page with the browser tool, screenshot it, then stop the server. Those actions are appropriate for generating the chart image, but they do involve running shell commands and manipulating local files — which is expected for a local web-based tracker.
Install Mechanism
No install spec is provided; this is instruction-only with bundled assets. The included setup.sh is present but contains only local logic (platform detection, port probing, interactive prompts) and does not download external resources. No remote archive downloads or 3rd-party package installs were found.
Credentials
The skill requests no environment variables, no credentials, and no config paths outside its own asset directory. Access to local JSON files and launching a local HTTP server are proportional to the stated functionality.
Persistence & Privilege
always:false and no special persistence or modification of other skills/systems. The skill runs interactively and does not request elevated persistent privileges.
Assessment
This skill appears to be what it says: a small local web app that stores weight records in weight_history.json and serves jianfei.html. Things to consider before installing: 1) The included setup.sh and the SKILL.md ask you to run shell commands — inspect setup.sh (you can see it) before running it. 2) The instructions start a Python HTTP server without an explicit bind host; by default that can be reachable from the local network. If you want it strictly local, run: python3 -m http.server <PORT> --bind 127.0.0.1. 3) The skill will read/write weight_history.json and config.json in the skill directory — back them up if they contain data you care about. 4) Stopping the server uses kill/netstat/fuser commands; those are normal but review them if you have sensitive long-running processes. If you want extra assurance, run the HTML locally from a sandboxed machine or inspect the full jianfei.html to verify it does not contact external endpoints (the provided files appear to only load local JSON).Like a lobster shell, security has layers — review code before you run it.
dietvk9750c95va0ba62m25fh1mkc2n83tt8bfitnessvk9750c95va0ba62m25fh1mkc2n83tt8bhealthvk9750c95va0ba62m25fh1mkc2n83tt8blatestvk9750c95va0ba62m25fh1mkc2n83tt8btrackervk9750c95va0ba62m25fh1mkc2n83tt8bweight-lossvk9750c95va0ba62m25fh1mkc2n83tt8b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.