What to Eat Today | 今天吃什么
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent food recommendation skill, with the main caution being optional image-helper utilities that can contact external sites and run a user-supplied command if invoked.
For ordinary food recommendations, this skill looks safe and purpose-aligned. Before using the optional image hydration tools, be aware they may contact Bing/Pollinations, save downloaded images locally, and can execute a command you provide via --external-ai-cmd.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the optional image helper is run, the machine will make network requests and store externally sourced images for the skill.
The optional image-filling helper can contact public external services and save downloaded/generated image bytes locally.
search_url = f"https://www.bing.com/images/search?q={encoded}&form=HDRSC2" ... f"https://image.pollinations.ai/prompt/{encoded_prompt}" ... out_path.write_bytes(data)Use the image hydration helper only when you want external image fetching/generation, keep limits small, review generated images, and use dry-run or disable Pollinations if network calls are not desired.
If a user supplies an untrusted or malformed external command template, it could execute unintended local shell commands.
The optional external AI fallback runs a user-provided command through the shell.
cmd = external_ai_cmd.replace("{name}", name).replace("{out_path}", str(out_path)) ... subprocess.run(cmd, shell=True, check=False, timeout=timeout)Only pass trusted commands to --external-ai-cmd; avoid untrusted templates and prefer running the default recommendation flow without this optional helper unless needed.