ClawHub

What to Eat Today | 今天吃什么

Security checks across malware telemetry and agentic risk

Overview

This food recommendation skill is mostly coherent, but it needs review because its optional image helper can contact third-party services and run a free-form local shell command.

Review before installing. The normal recommendation script is a local food suggestion tool, but do not run scripts/hydrate_food_images.py unless you are comfortable with external image services receiving dish names/prompts and local files being written. Avoid --external-ai-cmd unless you fully trust the exact command template and run it in a constrained environment; keep Feishu image sending limited to images you intend to share.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
.replace("{out_path}", str(out_path))
    )
    try:
        result = subprocess.run(cmd, shell=True, check=False, timeout=timeout)
    except Exception:
        return False
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, check=False, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation exposes execution paths involving shell, file read/write, and network access, yet no permissions are declared. That creates a hidden capability gap: an agent or reviewer may assume the skill is low-risk dish recommendation logic while it can actually execute commands, access local files, and interact with external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is simple meal recommendation, but the analyzed behavior includes web access, image generation, subprocess execution of external AI commands, and local data modification. This mismatch is dangerous because it conceals materially riskier behavior behind an innocuous description, increasing the chance of unsafe approval and unexpected side effects during use.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill instructs the agent to copy local images into a workspace and send them via Feishu/OpenClaw message tooling, which expands the skill from recommendation into runtime-specific file handling and message dispatch. In context, that broadens data movement and creates opportunities for unintended file exposure or misuse of messaging capabilities beyond what a food suggestion skill should need.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This block allows arbitrary external shell commands to be executed as an optional fallback, which materially expands the skill's capabilities beyond image hydration into general command execution. In a skill ecosystem, such hidden execution surfaces are dangerous because they can be abused for system compromise, data exfiltration, or persistence if exposed to untrusted input or operators.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README documents automatic image fetching and fallback image generation using external services and even a user-provided external AI command, but it does not warn that food names, prompts, or related metadata may be sent over the network to third parties. In an agent skill context, undocumented outbound network behavior increases privacy, compliance, and supply-chain risk because users and integrators may not realize content is being shared externally.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger condition is overly broad and mandatory, covering common everyday phrases and 'any dining need.' In context, this increases the chance the skill is invoked unnecessarily, causing unintended execution of higher-risk capabilities such as shell, network, and file operations in situations where a normal conversational response would have sufficed.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'when to use' guidance lacks clear boundaries and treats any preference information as sufficient to activate the skill. Because this skill appears to have capabilities beyond simple recommendation, ambiguous activation criteria make accidental invocation more dangerous than in a purely local, read-only assistant skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Executing a user-provided shell command template with shell=True creates a direct arbitrary command execution path. The lack of explicit warning is secondary; the core danger is that this feature can be abused to run any shell command on the host, which is far more dangerous given the skill's ordinary food-related purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal